From 4a6b865483239450fc1be2fd431800a7ded9fe58 Mon Sep 17 00:00:00 2001
From: Joachim Henze <Joachim.Henze@reactos.org>
Date: Wed, 2 Aug 2023 00:33:27 +0200
Subject: [PATCH] [0.4.13][NTOS][WIN32SS] Fix double free in ObCreateObject

Backport the following commits:
0.4.15-dev-6401-g 53b30e3f3bf454356dad537c782543cba35e0f1a [NTOSKRNL][NTGDI] Formatting addendum, no functional change
0.4.15-dev-5487-g e7bbbf049e3c53f7477fb3c53e1910ac417066b5 [NTOS] Fix double free on allocation failure in ObCreateObject

Just for verifying that the size didn't increase anywhere:

ntoskrnl.exe GCC8.4.0dbg RosBEWin2.2.2 master               5.124.096
ntoskrnl.exe GCC4.7.2dbg RosBEWin2.1.6 0.4.14  4.413.440 -> 4.413.440
ntoskrnl.exe GCC4.7.2dbg RosBEWin2.1.6 0.4.13  4.367.360 -> 4.367.360
ntoskrnl.exe GCC4.7.2dbg RosBEWin2.1.6 0.4.12  4.377.600 -> 4.377.600
ntoskrnl.exe GCC4.7.2dbg RosBEWin2.1.6 0.4.11  4.377.088 -> 4.377.088
ntoskrnl.exe GCC4.7.2dbg RosBEWin2.1.6 0.4.10  4.344.320 -> 4.344.320
ntoskrnl.exe GCC4.7.2dbg RosBEWin2.1.6 0.4. 9  4.311.552 -> 4.311.552
ntoskrnl.exe GCC4.7.2dbg RosBEWin2.1.6 0.4. 8  4.296.704 -> 4.296.704
ntoskrnl.exe GCC4.7.2dbg RosBEWin2.1.6 0.4. 7  4.231.168 -> 4.231.168

udfs.sys     GCC8.4.0dbg RosBEWin2.2.2 master             835.584
udfs.sys     GCC4.7.2dbg RosBEWin2.1.6 0.4.14  745.472 -> 745.472
udfs.sys     GCC4.7.2dbg RosBEWin2.1.6 0.4.13  745.472 -> 745.472
udfs.sys     GCC4.7.2dbg RosBEWin2.1.6 0.4.12  749.568 -> 749.568
udfs.sys     GCC4.7.2dbg RosBEWin2.1.6 0.4.11  749.568 -> 749.568
udfs.sys     GCC4.7.2dbg RosBEWin2.1.6 0.4.10  749.568 -> 749.568
udfs.sys     GCC4.7.2dbg RosBEWin2.1.6 0.4. 9  749.568 -> 749.568
udfs.sys     GCC4.7.2dbg RosBEWin2.1.6 0.4. 8  749.568 -> 749.568
udfs.sys     GCC4.7.2dbg RosBEWin2.1.6 0.4. 7  749.568 -> 749.568

user32.dll   GCC8.4.0dbg RosBEWin2.2.2 master               1.585.152
user32.dll   GCC4.7.2dbg RosBEWin2.1.6 0.4.14  1.448.448 -> 1.448.448
user32.dll   GCC4.7.2dbg RosBEWin2.1.6 0.4.13  1.445.376 -> 1.445.376
user32.dll   GCC4.7.2dbg RosBEWin2.1.6 0.4.12  1.455.616 -> 1.455.616
user32.dll   GCC4.7.2dbg RosBEWin2.1.6 0.4.11  1.453.056 -> 1.453.056
user32.dll   GCC4.7.2dbg RosBEWin2.1.6 0.4.10  1.434.624 -> 1.434.624
user32.dll   GCC4.7.2dbg RosBEWin2.1.6 0.4. 9  1.422.336 -> 1.422.336
user32.dll   GCC4.7.2dbg RosBEWin2.1.6 0.4. 8  1.421.824 -> 1.421.824
user32.dll   GCC4.7.2dbg RosBEWin2.1.6 0.4. 7  1.418.752 -> 1.418.752

win32k.sys   GCC8.4.0dbg RosBEWin2.2.2 master               3.477.504
win32k.sys   GCC4.7.2dbg RosBEWin2.1.6 0.4.14  2.904.064 -> 2.904.064
win32k.sys   GCC4.7.2dbg RosBEWin2.1.6 0.4.13  2.895.872 -> 2.895.872
win32k.sys   GCC4.7.2dbg RosBEWin2.1.6 0.4.12  2.887.680 -> 2.887.680
win32k.sys   GCC4.7.2dbg RosBEWin2.1.6 0.4.11  2.867.200 -> 2.867.200
win32k.sys   GCC4.7.2dbg RosBEWin2.1.6 0.4.10  2.863.104 -> 2.863.104
win32k.sys   GCC4.7.2dbg RosBEWin2.1.6 0.4. 9  2.834.432 -> 2.834.432
win32k.sys   GCC4.7.2dbg RosBEWin2.1.6 0.4. 8  2.830.336 -> 2.830.336
win32k.sys   GCC4.7.2dbg RosBEWin2.1.6 0.4. 7  2.830.336 -> 2.830.336
---
 ntoskrnl/config/cmsysini.c   |  8 +-------
 ntoskrnl/ob/oblife.c         | 12 +++++++-----
 win32ss/gdi/ntgdi/freetype.c | 12 +++---------
 3 files changed, 11 insertions(+), 21 deletions(-)

diff --git a/ntoskrnl/config/cmsysini.c b/ntoskrnl/config/cmsysini.c
index 6f9414bde68..5e8001df53f 100644
--- a/ntoskrnl/config/cmsysini.c
+++ b/ntoskrnl/config/cmsysini.c
@@ -1,7 +1,6 @@
 /*
  * PROJECT:         ReactOS Kernel
  * LICENSE:         BSD - See COPYING.ARM in the top level directory
- * FILE:            ntoskrnl/config/cmsysini.c
  * PURPOSE:         Configuration Manager - System Initialization Code
  * PROGRAMMERS:     ReactOS Portable Systems Group
  *                  Alex Ionescu (alex.ionescu@reactos.org)
@@ -873,7 +872,6 @@ CmpInitializeSystemHive(IN PLOADER_PARAMETER_BLOCK LoaderBlock)
     UNICODE_STRING KeyName;
     PCMHIVE SystemHive = NULL;
     PSECURITY_DESCRIPTOR SecurityDescriptor;
-    BOOLEAN Success;
 
     PAGED_CODE();
 
@@ -921,12 +919,8 @@ CmpInitializeSystemHive(IN PLOADER_PARAMETER_BLOCK LoaderBlock)
     }
 
     /* Set the hive filename */
-    Success = RtlCreateUnicodeString(&SystemHive->FileFullPath,
-                                     L"\\SystemRoot\\System32\\Config\\SYSTEM");
-    if (!Success)
-    {
+    if (!RtlCreateUnicodeString(&SystemHive->FileFullPath, L"\\SystemRoot\\System32\\Config\\SYSTEM"))
         return FALSE;
-    }
 
     /* Manually set the hive as volatile, if in Live CD mode */
     if (HiveBase && CmpShareSystemHives)
diff --git a/ntoskrnl/ob/oblife.c b/ntoskrnl/ob/oblife.c
index d649b0f0492..0be0fd1b4d8 100644
--- a/ntoskrnl/ob/oblife.c
+++ b/ntoskrnl/ob/oblife.c
@@ -872,10 +872,11 @@ ObpAllocateObject(IN POBJECT_CREATE_INFORMATION ObjectCreateInfo,
 
 NTSTATUS
 NTAPI
-ObQueryTypeInfo(IN POBJECT_TYPE ObjectType,
-                OUT POBJECT_TYPE_INFORMATION ObjectTypeInfo,
-                IN ULONG Length,
-                OUT PULONG ReturnLength)
+ObQueryTypeInfo(
+    IN POBJECT_TYPE ObjectType,
+    OUT POBJECT_TYPE_INFORMATION ObjectTypeInfo,
+    IN ULONG Length,
+    OUT PULONG ReturnLength)
 {
     NTSTATUS Status = STATUS_SUCCESS;
     PWSTR InfoBuffer;
@@ -887,7 +888,7 @@ ObQueryTypeInfo(IN POBJECT_TYPE ObjectType,
         *ReturnLength += sizeof(*ObjectTypeInfo) +
                          ALIGN_UP(ObjectType->Name.MaximumLength, ULONG);
 
-        /* Check if thats too much though. */
+        /* Check if that is too much */
         if (Length < *ReturnLength)
         {
             _SEH2_YIELD(return STATUS_INFO_LENGTH_MISMATCH);
@@ -1036,6 +1037,7 @@ ObCreateObject(IN KPROCESSOR_MODE ProbeMode OPTIONAL,
         /* Release the Capture Info, we don't need it */
         ObpFreeObjectCreateInformation(ObjectCreateInfo);
         if (ObjectName.Buffer) ObpFreeObjectNameBuffer(&ObjectName);
+        return Status;
     }
 
     /* We failed, so release the Buffer */
diff --git a/win32ss/gdi/ntgdi/freetype.c b/win32ss/gdi/ntgdi/freetype.c
index da724371bb3..426309ba03c 100644
--- a/win32ss/gdi/ntgdi/freetype.c
+++ b/win32ss/gdi/ntgdi/freetype.c
@@ -1,7 +1,6 @@
 /*
  * PROJECT:         ReactOS win32 kernel mode subsystem
  * LICENSE:         GPL - See COPYING in the top level directory
- * FILE:            win32ss/gdi/ntgdi/freetype.c
  * PURPOSE:         FreeType font engine interface
  * PROGRAMMERS:     Copyright 2001 Huw D M Davies for CodeWeavers.
  *                  Copyright 2006 Dmitry Timoshkov for CodeWeavers.
@@ -520,7 +519,6 @@ IntLoadFontSubstList(PLIST_ENTRY pHead)
     BYTE                            CharSets[FONTSUBST_FROM_AND_TO];
     LPWSTR                          pch;
     PFONTSUBST_ENTRY                pEntry;
-    BOOLEAN                         Success;
 
     /* the FontSubstitutes registry key */
     static UNICODE_STRING FontSubstKey =
@@ -565,8 +563,7 @@ IntLoadFontSubstList(PLIST_ENTRY pHead)
         pInfo = (PKEY_VALUE_FULL_INFORMATION)InfoBuffer;
         Length = pInfo->NameLength / sizeof(WCHAR);
         pInfo->Name[Length] = UNICODE_NULL;   /* truncate */
-        Success = RtlCreateUnicodeString(&FromW, pInfo->Name);
-        if (!Success)
+        if (!RtlCreateUnicodeString(&FromW, pInfo->Name))
         {
             Status = STATUS_INSUFFICIENT_RESOURCES;
             DPRINT("RtlCreateUnicodeString failed\n");
@@ -588,8 +585,7 @@ IntLoadFontSubstList(PLIST_ENTRY pHead)
         pch = (LPWSTR)((PUCHAR)pInfo + pInfo->DataOffset);
         Length = pInfo->DataLength / sizeof(WCHAR);
         pch[Length] = UNICODE_NULL; /* truncate */
-        Success = RtlCreateUnicodeString(&ToW, pch);
-        if (!Success)
+        if (!RtlCreateUnicodeString(&ToW, pch))
         {
             Status = STATUS_INSUFFICIENT_RESOURCES;
             DPRINT("RtlCreateUnicodeString failed\n");
@@ -1692,7 +1688,6 @@ IntLoadFontsInRegistry(VOID)
     LPBYTE                          InfoBuffer;
     PKEY_VALUE_FULL_INFORMATION     pInfo;
     LPWSTR                          pchPath;
-    BOOLEAN                         Success;
     WCHAR                           szPath[MAX_PATH];
     INT                             nFontCount = 0;
     DWORD                           dwFlags;
@@ -1759,8 +1754,7 @@ IntLoadFontsInRegistry(VOID)
         pInfo = (PKEY_VALUE_FULL_INFORMATION)InfoBuffer;
         Length = pInfo->NameLength / sizeof(WCHAR);
         pInfo->Name[Length] = UNICODE_NULL;   /* truncate */
-        Success = RtlCreateUnicodeString(&FontTitleW, pInfo->Name);
-        if (!Success)
+        if (!RtlCreateUnicodeString(&FontTitleW, pInfo->Name))
         {
             Status = STATUS_INSUFFICIENT_RESOURCES;
             DPRINT1("RtlCreateUnicodeString failed\n");