Integer overflow leads to heap buffer overflow on EMF/WMF files parsing.
vulners.com/securityvulns/securityvulns:doc:15575
vulners.com/securityvulns/securityvulns:doc:15576