From 9a0a991a729548065ebc7d084a47a21d51561a62 Mon Sep 17 00:00:00 2001
From: Vincent Povirk <vincent@codeweavers.com>
Date: Thu, 30 Sep 2010 12:33:36 -0500
Subject: [PATCH 1/2] gdiplus: Don't try to free invalid or already-freed images.

---
 dlls/gdiplus/image.c       |   10 ++++++++--
 dlls/gdiplus/tests/image.c |   24 ++++++++++++++++++++++++
 2 files changed, 32 insertions(+), 2 deletions(-)

diff --git a/dlls/gdiplus/image.c b/dlls/gdiplus/image.c
index 4ed226d..9b83d95 100644
--- a/dlls/gdiplus/image.c
+++ b/dlls/gdiplus/image.c
@@ -1958,8 +1958,6 @@ GpStatus WINGDIPAPI GdipDisposeImage(GpImage *image)
     if(!image)
         return InvalidParameter;
 
-    if (image->picture)
-        IPicture_Release(image->picture);
     if (image->type == ImageTypeBitmap)
     {
         GdipFree(((GpBitmap*)image)->bitmapbits);
@@ -1967,7 +1965,15 @@ GpStatus WINGDIPAPI GdipDisposeImage(GpImage *image)
         DeleteDC(((GpBitmap*)image)->hdc);
         DeleteObject(((GpBitmap*)image)->hbitmap);
     }
+    else if (image->type != ImageTypeMetafile)
+    {
+        WARN("invalid image: %p\n", image);
+        return ObjectBusy;
+    }
+    if (image->picture)
+        IPicture_Release(image->picture);
     GdipFree(image->palette_entries);
+    image->type = ~0;
     GdipFree(image);
 
     return Ok;
diff --git a/dlls/gdiplus/tests/image.c b/dlls/gdiplus/tests/image.c
index f00d003..b2b1a0f 100644
--- a/dlls/gdiplus/tests/image.c
+++ b/dlls/gdiplus/tests/image.c
@@ -2250,6 +2250,29 @@ static void test_colorkey(void)
     GdipDisposeImageAttributes(imageattr);
 }
 
+static void test_dispose(void)
+{
+    GpStatus stat;
+    GpImage *image;
+    char invalid_image[256];
+
+    stat = GdipDisposeImage(NULL);
+    expect(InvalidParameter, stat);
+
+    stat = GdipCreateBitmapFromScan0(2, 2, 0, PixelFormat32bppARGB, NULL, (GpBitmap**)&image);
+    expect(Ok, stat);
+
+    stat = GdipDisposeImage(image);
+    expect(Ok, stat);
+
+    stat = GdipDisposeImage(image);
+    expect(ObjectBusy, stat);
+
+    memset(invalid_image, 0, 256);
+    stat = GdipDisposeImage((GpImage*)invalid_image);
+    expect(ObjectBusy, stat);
+}
+
 START_TEST(image)
 {
     struct GdiplusStartupInput gdiplusStartupInput;
@@ -2289,6 +2312,7 @@ START_TEST(image)
     test_rotateflip();
     test_remaptable();
     test_colorkey();
+    test_dispose();
 
     GdiplusShutdown(gdiplusToken);
 }
-- 
1.7.0.4