[WIN32SS] Avoid an user-after-free in FontFamilyFillInfo().
authorPierre Schweitzer <pierre@reactos.org>
Fri, 16 Nov 2018 20:28:42 +0000 (21:28 +0100)
committerPierre Schweitzer <pierre@reactos.org>
Fri, 16 Nov 2018 21:07:08 +0000 (22:07 +0100)
CID 1441367

win32ss/gdi/ntgdi/freetype.c

index ce655c5..dd5e006 100644 (file)
@@ -2605,14 +2605,13 @@ FontFamilyFillInfo(PFONTFAMILYINFO Info, LPCWSTR FaceName,
                      sizeof(Info->EnumLogFontEx.elfFullName),
                      FullName);
 
-    ExFreePoolWithTag(Otm, GDITAG_TEXT);
-
     RtlInitAnsiString(&StyleA, Face->style_name);
     StyleW.Buffer = Info->EnumLogFontEx.elfStyle;
     StyleW.MaximumLength = sizeof(Info->EnumLogFontEx.elfStyle);
     status = RtlAnsiStringToUnicodeString(&StyleW, &StyleA, FALSE);
     if (!NT_SUCCESS(status))
     {
+        ExFreePoolWithTag(Otm, GDITAG_TEXT);
         return;
     }
     Info->EnumLogFontEx.elfScript[0] = UNICODE_NULL;
@@ -2623,6 +2622,7 @@ FontFamilyFillInfo(PFONTFAMILYINFO Info, LPCWSTR FaceName,
     if (!pOS2)
     {
         IntUnLockFreeType();
+        ExFreePoolWithTag(Otm, GDITAG_TEXT);
         return;
     }
 
@@ -2630,6 +2630,8 @@ FontFamilyFillInfo(PFONTFAMILYINFO Info, LPCWSTR FaceName,
     Ntm->ntmCellHeight = pOS2->usWinAscent + pOS2->usWinDescent;
     Ntm->ntmAvgWidth = 0;
 
+    ExFreePoolWithTag(Otm, GDITAG_TEXT);
+
     fs.fsCsb[0] = pOS2->ulCodePageRange1;
     fs.fsCsb[1] = pOS2->ulCodePageRange2;
     fs.fsUsb[0] = pOS2->ulUnicodeRange1;