mirror of
https://github.com/reactos/reactos.git
synced 2024-09-28 21:44:31 +00:00
[WIN32SS] Avoid an user-after-free in FontFamilyFillInfo().
CID 1441367
This commit is contained in:
parent
3fddd3157c
commit
2255d5f5b6
|
@ -2605,14 +2605,13 @@ FontFamilyFillInfo(PFONTFAMILYINFO Info, LPCWSTR FaceName,
|
||||||
sizeof(Info->EnumLogFontEx.elfFullName),
|
sizeof(Info->EnumLogFontEx.elfFullName),
|
||||||
FullName);
|
FullName);
|
||||||
|
|
||||||
ExFreePoolWithTag(Otm, GDITAG_TEXT);
|
|
||||||
|
|
||||||
RtlInitAnsiString(&StyleA, Face->style_name);
|
RtlInitAnsiString(&StyleA, Face->style_name);
|
||||||
StyleW.Buffer = Info->EnumLogFontEx.elfStyle;
|
StyleW.Buffer = Info->EnumLogFontEx.elfStyle;
|
||||||
StyleW.MaximumLength = sizeof(Info->EnumLogFontEx.elfStyle);
|
StyleW.MaximumLength = sizeof(Info->EnumLogFontEx.elfStyle);
|
||||||
status = RtlAnsiStringToUnicodeString(&StyleW, &StyleA, FALSE);
|
status = RtlAnsiStringToUnicodeString(&StyleW, &StyleA, FALSE);
|
||||||
if (!NT_SUCCESS(status))
|
if (!NT_SUCCESS(status))
|
||||||
{
|
{
|
||||||
|
ExFreePoolWithTag(Otm, GDITAG_TEXT);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
Info->EnumLogFontEx.elfScript[0] = UNICODE_NULL;
|
Info->EnumLogFontEx.elfScript[0] = UNICODE_NULL;
|
||||||
|
@ -2623,6 +2622,7 @@ FontFamilyFillInfo(PFONTFAMILYINFO Info, LPCWSTR FaceName,
|
||||||
if (!pOS2)
|
if (!pOS2)
|
||||||
{
|
{
|
||||||
IntUnLockFreeType();
|
IntUnLockFreeType();
|
||||||
|
ExFreePoolWithTag(Otm, GDITAG_TEXT);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -2630,6 +2630,8 @@ FontFamilyFillInfo(PFONTFAMILYINFO Info, LPCWSTR FaceName,
|
||||||
Ntm->ntmCellHeight = pOS2->usWinAscent + pOS2->usWinDescent;
|
Ntm->ntmCellHeight = pOS2->usWinAscent + pOS2->usWinDescent;
|
||||||
Ntm->ntmAvgWidth = 0;
|
Ntm->ntmAvgWidth = 0;
|
||||||
|
|
||||||
|
ExFreePoolWithTag(Otm, GDITAG_TEXT);
|
||||||
|
|
||||||
fs.fsCsb[0] = pOS2->ulCodePageRange1;
|
fs.fsCsb[0] = pOS2->ulCodePageRange1;
|
||||||
fs.fsCsb[1] = pOS2->ulCodePageRange2;
|
fs.fsCsb[1] = pOS2->ulCodePageRange2;
|
||||||
fs.fsUsb[0] = pOS2->ulUnicodeRange1;
|
fs.fsUsb[0] = pOS2->ulUnicodeRange1;
|
||||||
|
|
Loading…
Reference in a new issue