Added sanity checks on EMRCREATEDIBPATTERNBRUSHPT values.
Fix a memory leak.
diff --git a/objects/enhmetafile.c b/objects/enhmetafile.c
index fcf52e5..9a99c9d 100644
--- a/objects/enhmetafile.c
+++ b/objects/enhmetafile.c
@@ -1148,11 +1148,27 @@
case EMR_CREATEDIBPATTERNBRUSHPT:
{
PEMRCREATEDIBPATTERNBRUSHPT lpCreate = (PEMRCREATEDIBPATTERNBRUSHPT)mr;
+ LPVOID lpPackedStruct;
+
+ /* check that offsets and data are contained within the record */
+ if ( !( (lpCreate->cbBmi>=0) && (lpCreate->cbBits>=0) &&
+ (lpCreate->offBmi>=0) && (lpCreate->offBits>=0) &&
+ ((lpCreate->offBmi +lpCreate->cbBmi ) <= mr->nSize) &&
+ ((lpCreate->offBits+lpCreate->cbBits) <= mr->nSize) ) )
+ {
+ ERR("Invalid EMR_CREATEDIBPATTERNBRUSHPT record\n");
+ break;
+ }
/* This is a BITMAPINFO struct followed directly by bitmap bits */
- LPVOID lpPackedStruct = HeapAlloc( GetProcessHeap(),
- 0,
- lpCreate->cbBmi + lpCreate->cbBits );
+ lpPackedStruct = HeapAlloc( GetProcessHeap(), 0,
+ lpCreate->cbBmi + lpCreate->cbBits );
+ if(!lpPackedStruct)
+ {
+ SetLastError(ERROR_NOT_ENOUGH_MEMORY);
+ break;
+ }
+
/* Now pack this structure */
memcpy( lpPackedStruct,
((BYTE*)lpCreate) + lpCreate->offBmi,
@@ -1165,6 +1181,8 @@
CreateDIBPatternBrushPt( lpPackedStruct,
(UINT)lpCreate->iUsage );
+ HeapFree(GetProcessHeap(), 0, lpPackedStruct);
+
break;
}
