Dylan Smith : richedit: Handle NULL buffer or 0 buffer length in ME_GetTextEx.
Alexandre Julliard
julliard at winehq.org
Mon Aug 3 11:15:23 CDT 2009
Module: wine
Branch: master
Commit: 3d89e29155dc3a359026caed50840d5a57ab2510
URL: http://source.winehq.org/git/wine.git/?a=commit;h=3d89e29155dc3a359026caed50840d5a57ab2510
Author: Dylan Smith <dylan.ah.smith at gmail.com>
Date: Thu Jul 30 00:54:13 2009 -0400
richedit: Handle NULL buffer or 0 buffer length in ME_GetTextEx.
ME_GetTextEx directly handles EM_GETTEXTEX, and previously a NULL buffer
would be dereferenced, and a 0 buffer length would cause nCount an
underflow in the nCount value which would allow a buffer overflow to
occur.
---
dlls/riched20/editor.c | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/dlls/riched20/editor.c b/dlls/riched20/editor.c
index 1e18c10..2a6f908 100644
--- a/dlls/riched20/editor.c
+++ b/dlls/riched20/editor.c
@@ -1863,6 +1863,8 @@ static int ME_GetTextEx(ME_TextEditor *editor, GETTEXTEX *ex, LPARAM pText)
{
int nStart, nCount; /* in chars */
+ if (!ex->cb || !pText) return 0;
+
if (ex->flags & ~(GT_SELECTION | GT_USECRLF))
FIXME("GETTEXTEX flags 0x%08x not supported\n", ex->flags & ~(GT_SELECTION | GT_USECRLF));
More information about the wine-cvs
mailing list