Trejkaz - 11/Feb/07 03:33 PM Header contents: offset 0, DWORD iType (skipped) offset 4, DWORD nSize = 132 offset 8, RECTL rclBounds = [x=19,y=20,width=8794,height=4400] offset 24, RECTL rclFrame = [x=0,y=0,width=18696,height=9396] offset 40, DWORD dSignature = " EMF" offset 44, DWORD nVersion; = 1, 0 (65536) offset 48, DWORD nBytes = 22572 offset 52, DWORD nRecords = 559 offset 56, WORD nHandles = 15 offset 58, WORD sReserved (skipped) offset 60, DWORD nDescription = 15 <--- length of description offset 64, DWORD offDescription (skipped) offset 68, DWORD nPalEntries = 0 offset 72, SIZEL szlDevice = [width=9499,height=13607] offset 80, SIZEL szlMillimeters = [width=201,height=288] offset 88, DWORD cbPixelFormat (skipped) offset 92, DWORD offPixelFormat (skipped) offset 96, DWORD bOpenGL = false At this point there are issues. The length is longer than 100 but the value read looks suspicious. The description read ("O") is also suspicious. What I think is happening is that the description length is 15, so there are 30 bytes, but it's being padded to 32. I don't know whether this padding is at the end of the entire structure, or at the end of the description. Currently my code makes the assumption that it's at the end of the string itself, which wouldn't cause an issue yet even if it's wrong, because we don't read anything after the string anyway.

Trejkaz - 11/Feb/07 03:35 PM Here's my fix, but I'm not confident that it's really safe.

Trejkaz - 11/Feb/07 03:49 PM Actually I just had a thought about this... maybe it's safer to use dOffset to determine which version of the EMF header it's reading, rather than using the total length of the record.

Trejkaz - 11/Feb/07 06:02 PM Here's a better patch. Uses the description offset both to determine what version of Windows it was, and where to read the description from. Should also be futureproof in the event that more fields are added in-between. Removes one more fixme from the code too.

Mark Donszelmann - 12/Feb/07 12:14 AM Applied last patch. Revision 10526.