Vincent Povirk : gdi32: Check that emf records are within the file.

[Alexandre Julliard]

Module: wine
Branch: master
Commit: b6da3547d8990c3c3affc3a5865aefd2a0946949
URL:    https://source.winehq.org/git/wine.git/?a=commit;h=b6da3547d8990c3c3affc3a5865aefd2a0946949

Author: Vincent Povirk <vincent at codeweavers.com>
Date:   Tue May  8 12:46:20 2018 -0500

gdi32: Check that emf records are within the file.

Signed-off-by: Vincent Povirk <vincent at codeweavers.com>
Signed-off-by: Huw Davies <huw at codeweavers.com>
Signed-off-by: Alexandre Julliard <julliard at winehq.org>

---

 dlls/gdi32/enhmetafile.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/dlls/gdi32/enhmetafile.c b/dlls/gdi32/enhmetafile.c
index ffe21f0..2d8a9b0 100644
--- a/dlls/gdi32/enhmetafile.c
+++ b/dlls/gdi32/enhmetafile.c
@@ -2470,6 +2470,14 @@ BOOL WINAPI EnumEnhMetaFile(
     {
 	emr = (ENHMETARECORD *)((char *)emh + offset);
 
+        if (offset + 8 > emh->nBytes ||
+            offset > offset + emr->nSize ||
+            offset + emr->nSize > emh->nBytes)
+        {
+            WARN("record truncated\n");
+            break;
+        }
+
         /* In Win9x mode we update the xform if the record will produce output */
         if (hdc && IS_WIN9X() && emr_produces_output(emr->iType))
             EMF_Update_MF_Xform(hdc, info);