Index: eng.h
===================================================================
--- eng.h	(revision 66562)
+++ eng.h	(working copy)
@@ -31,7 +31,7 @@
 VOID FASTCALL IntGdiReleaseSemaphore ( HSEMAPHORE hsem );
 ULONGLONG APIENTRY EngGetTickCount(VOID);
 
-VOID DecompressBitmap(SIZEL Size, BYTE *CompressedBits, BYTE *UncompressedBits, LONG Delta, ULONG iFormat);
+VOID DecompressBitmap(SIZEL Size, BYTE *CompressedBits, BYTE *UncompressedBits, LONG Delta, ULONG iFormat, ULONG cjSizeImage);
 
 HANDLE
 APIENTRY
Index: rlecomp.c
===================================================================
--- rlecomp.c	(revision 66562)
+++ rlecomp.c	(working copy)
@@ -18,7 +18,7 @@
     RLE_DELTA = 2  /* Delta */
 };
 
-VOID DecompressBitmap(SIZEL Size, BYTE *CompressedBits, BYTE *UncompressedBits, LONG Delta, ULONG Format)
+VOID DecompressBitmap(SIZEL Size, BYTE *CompressedBits, BYTE *UncompressedBits, LONG Delta, ULONG Format, ULONG cjSizeImage)
 {
     INT x = 0;
     INT y = Size.cy - 1;
@@ -25,7 +25,7 @@
     INT c;
     INT length;
     INT width;
-    INT height = Size.cy - 1;
+    INT height = y;
     BYTE *begin = CompressedBits;
     BYTE *bits = CompressedBits;
     BYTE *temp;
@@ -40,7 +40,7 @@
 
     _SEH2_TRY
     {
-        while (y >= 0)
+        while (y >= 0 && (bits - begin) <= cjSizeImage)
         {
             length = (*bits++) >> shift;
             if (length)