From b538b9abb8c5bb834f855173fb77459456382d56 Mon Sep 17 00:00:00 2001
From: Doug Lyons <douglyons@douglyons.com>
Date: Sun, 21 Nov 2021 19:57:36 -0600
Subject: [PATCH] [WIN32K] Fix 'use after free' in NtGdiStretchDIBitsInternal
 (#4122)

CORE-17861
---
 win32ss/gdi/ntgdi/dibobj.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/win32ss/gdi/ntgdi/dibobj.c b/win32ss/gdi/ntgdi/dibobj.c
index e8d3acc3d2d..c2b5a8fbb42 100644
--- a/win32ss/gdi/ntgdi/dibobj.c
+++ b/win32ss/gdi/ntgdi/dibobj.c
@@ -1489,7 +1489,6 @@ NtGdiStretchDIBitsInternal(
         if (pdc) DC_UnlockDc(pdc);
     }
 
-    if (pbmiSafe) ExFreePoolWithTag(pbmiSafe, 'imBG');
     if (pvBits) ExFreePoolWithTag(pvBits, TAG_DIB);
 
     /* This is not what MSDN says is returned from this function, but it
@@ -1504,6 +1503,8 @@ NtGdiStretchDIBitsInternal(
         LinesCopied = pbmiSafe->bmiHeader.biHeight;
     }
 
+    ExFreePoolWithTag(pbmiSafe, 'imBG');
+
     return LinesCopied;
 }