Index: win32ss/gdi/eng/eng.h =================================================================== --- win32ss/gdi/eng/eng.h (revision 69746) +++ win32ss/gdi/eng/eng.h (working copy) @@ -52,4 +52,5 @@ BYTE *CompressedBits, BYTE *UncompressedBits, LONG Delta, - ULONG iFormat); + ULONG iFormat, + ULONG cjSizeImage); Index: win32ss/gdi/eng/rlecomp.c =================================================================== --- win32ss/gdi/eng/rlecomp.c (revision 69746) +++ win32ss/gdi/eng/rlecomp.c (working copy) @@ -18,7 +18,7 @@ RLE_DELTA = 2 /* Delta */ }; -VOID DecompressBitmap(SIZEL Size, BYTE *CompressedBits, BYTE *UncompressedBits, LONG Delta, ULONG Format) +VOID DecompressBitmap(SIZEL Size, BYTE *CompressedBits, BYTE *UncompressedBits, LONG Delta, ULONG Format, ULONG cjSizeImage) { INT x = 0; INT y = Size.cy - 1; @@ -25,7 +25,7 @@ INT c; INT length; INT width; - INT height = Size.cy - 1; + INT height = y; BYTE *begin = CompressedBits; BYTE *bits = CompressedBits; BYTE *temp; @@ -40,7 +40,7 @@ _SEH2_TRY { - while (y >= 0) + while (y >= 0 && (bits - begin) <= cjSizeImage) { length = (*bits++) >> shift; if (length) Index: win32ss/gdi/ntgdi/bitmaps.c =================================================================== --- win32ss/gdi/ntgdi/bitmaps.c (revision 69746) +++ win32ss/gdi/ntgdi/bitmaps.c (working copy) @@ -107,7 +107,6 @@ pvCompressedBits = pvBits; pvBits = NULL; iFormat = (iFormat == BMF_4RLE) ? BMF_4BPP : BMF_8BPP; - cjSizeImage = 0; } /* Allocate a surface */ @@ -117,7 +116,7 @@ iFormat, fjBitmap, cjWidthBytes, - cjSizeImage, + pvCompressedBits ? 0 : cjSizeImage, pvBits); if (!psurf) { @@ -136,7 +135,7 @@ lDelta = WIDTH_BYTES_ALIGN32(nWidth, gajBitsPerFormat[iFormat]); pvBits = psurf->SurfObj.pvBits; - DecompressBitmap(sizl, pvCompressedBits, pvBits, lDelta, iFormat); + DecompressBitmap(sizl, pvCompressedBits, pvBits, lDelta, iFormat, cjSizeImage); } /* Get the handle for the bitmap */