Commit 43837ed2 authored by Gerald Pfeifer's avatar Gerald Pfeifer Committed by Alexandre Julliard

gdi32: Tighten range checking in PlayEnhMetaFileRecord() and remove four useless checks.

parent ad92cdcf
...@@ -1669,11 +1669,13 @@ BOOL WINAPI PlayEnhMetaFileRecord( ...@@ -1669,11 +1669,13 @@ BOOL WINAPI PlayEnhMetaFileRecord(
const EMRCREATEDIBPATTERNBRUSHPT *lpCreate = (const EMRCREATEDIBPATTERNBRUSHPT *)mr; const EMRCREATEDIBPATTERNBRUSHPT *lpCreate = (const EMRCREATEDIBPATTERNBRUSHPT *)mr;
LPVOID lpPackedStruct; LPVOID lpPackedStruct;
/* check that offsets and data are contained within the record */ /* Check that offsets and data are contained within the record
if ( !( (lpCreate->cbBmi>=0) && (lpCreate->cbBits>=0) && * (including checking for wrap arounds).
(lpCreate->offBmi>=0) && (lpCreate->offBits>=0) && */
((lpCreate->offBmi +lpCreate->cbBmi ) <= mr->nSize) && if ( lpCreate->offBmi + lpCreate->cbBmi > mr->nSize
((lpCreate->offBits+lpCreate->cbBits) <= mr->nSize) ) ) || lpCreate->offBits + lpCreate->cbBits > mr->nSize
|| lpCreate->offBmi + lpCreate->cbBmi < lpCreate->offBmi
|| lpCreate->offBits + lpCreate->cbBits < lpCreate->offBits )
{ {
ERR("Invalid EMR_CREATEDIBPATTERNBRUSHPT record\n"); ERR("Invalid EMR_CREATEDIBPATTERNBRUSHPT record\n");
break; break;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment