Signed-off-by: Vincent Povirk vincent@codeweavers.com --- dlls/gdi32/enhmetafile.c | 8 ++++++++ 1 file changed, 8 insertions(+)

diff --git a/dlls/gdi32/enhmetafile.c b/dlls/gdi32/enhmetafile.c index f2e2930d9ea..c4b1ee1ce4e 100644 --- a/dlls/gdi32/enhmetafile.c +++ b/dlls/gdi32/enhmetafile.c @@ -2470,6 +2470,14 @@ BOOL WINAPI EnumEnhMetaFile( { emr = (ENHMETARECORD *)((char *)emh + offset);

+ if (offset + 8 > emh->nBytes || + offset > offset + emr->nSize || + offset + emr->nSize > emh->nBytes) + { + WARN("record truncated\n"); + break; + } + /* In Win9x mode we update the xform if the record will produce output */ if (hdc && IS_WIN9X() && emr_produces_output(emr->iType)) EMF_Update_MF_Xform(hdc, info);