https://git.reactos.org/?p=reactos.git;a=commitdiff;h=2255d5f5b648069fa889e… commit 2255d5f5b648069fa889ed153794d0e6e7ab9444 Author: Pierre Schweitzer <pierre(a)reactos.org> AuthorDate: Fri Nov 16 21:28:42 2018 +0100 Commit: Pierre Schweitzer <pierre(a)reactos.org> CommitDate: Fri Nov 16 22:07:08 2018 +0100 [WIN32SS] Avoid an user-after-free in FontFamilyFillInfo(). CID 1441367 --- win32ss/gdi/ntgdi/freetype.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/win32ss/gdi/ntgdi/freetype.c b/win32ss/gdi/ntgdi/freetype.c index ce655c5d3e..dd5e0064a5 100644 --- a/win32ss/gdi/ntgdi/freetype.c +++ b/win32ss/gdi/ntgdi/freetype.c @@ -2605,14 +2605,13 @@ FontFamilyFillInfo(PFONTFAMILYINFO Info, LPCWSTR FaceName, sizeof(Info->EnumLogFontEx.elfFullName), FullName); - ExFreePoolWithTag(Otm, GDITAG_TEXT); - RtlInitAnsiString(&StyleA, Face->style_name); StyleW.Buffer = Info->EnumLogFontEx.elfStyle; StyleW.MaximumLength = sizeof(Info->EnumLogFontEx.elfStyle); status = RtlAnsiStringToUnicodeString(&StyleW, &StyleA, FALSE); if (!NT_SUCCESS(status)) { + ExFreePoolWithTag(Otm, GDITAG_TEXT); return; } Info->EnumLogFontEx.elfScript[0] = UNICODE_NULL; @@ -2623,6 +2622,7 @@ FontFamilyFillInfo(PFONTFAMILYINFO Info, LPCWSTR FaceName, if (!pOS2) { IntUnLockFreeType(); + ExFreePoolWithTag(Otm, GDITAG_TEXT); return; } @@ -2630,6 +2630,8 @@ FontFamilyFillInfo(PFONTFAMILYINFO Info, LPCWSTR FaceName, Ntm->ntmCellHeight = pOS2->usWinAscent + pOS2->usWinDescent; Ntm->ntmAvgWidth = 0; + ExFreePoolWithTag(Otm, GDITAG_TEXT); + fs.fsCsb[0] = pOS2->ulCodePageRange1; fs.fsCsb[1] = pOS2->ulCodePageRange2; fs.fsUsb[0] = pOS2->ulUnicodeRange1;