Module: wine Branch: stable Commit: cb42844c7e3f952bdf0a59bad87c50f3820e8a55 URL: https://source.winehq.org/git/wine.git/?a=commit;h=cb42844c7e3f952bdf0a59bad...
Author: Vincent Povirk vincent@codeweavers.com Date: Tue May 8 12:46:20 2018 -0500
gdi32: Check that emf records are within the file.
Signed-off-by: Vincent Povirk vincent@codeweavers.com Signed-off-by: Huw Davies huw@codeweavers.com Signed-off-by: Alexandre Julliard julliard@winehq.org (cherry picked from commit b6da3547d8990c3c3affc3a5865aefd2a0946949) Signed-off-by: Michael Stefaniuc mstefani@winehq.org
---
dlls/gdi32/enhmetafile.c | 8 ++++++++ 1 file changed, 8 insertions(+)
diff --git a/dlls/gdi32/enhmetafile.c b/dlls/gdi32/enhmetafile.c index 045015f..2f6c794 100644 --- a/dlls/gdi32/enhmetafile.c +++ b/dlls/gdi32/enhmetafile.c @@ -2469,6 +2469,14 @@ BOOL WINAPI EnumEnhMetaFile( { emr = (ENHMETARECORD *)((char *)emh + offset);
+ if (offset + 8 > emh->nBytes || + offset > offset + emr->nSize || + offset + emr->nSize > emh->nBytes) + { + WARN("record truncated\n"); + break; + } + /* In Win9x mode we update the xform if the record will produce output */ if (hdc && IS_WIN9X() && emr_produces_output(emr->iType)) EMF_Update_MF_Xform(hdc, info);
-
Alexandre Julliard