>From 9290d74528ecbfe4ef2083091993d9cb42dc317e Mon Sep 17 00:00:00 2001
From: Javier Cantero <jcantero@escomposlinux.org>
Date: Thu, 20 Mar 2014 16:07:32 +0100
Subject: user32: Fix side effect in SubtractRect()

If SubtractRect() is called when the pointers dest and src2 are the same, the
early *dest = *src1; also modifies the values of src2 rect as a side effect, and
the subsequent intersection is miscalculated, returning always an empty
rectangle instead of the correct result.

To avoid this bug, the assignment must be deferred after the last use of src2 in
both branches.
---
 dlls/user32/uitools.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/dlls/user32/uitools.c b/dlls/user32/uitools.c
index c11a1d3..1afb1c89 100644
--- a/dlls/user32/uitools.c
+++ b/dlls/user32/uitools.c
@@ -1421,14 +1421,14 @@ BOOL WINAPI SubtractRect( LPRECT dest, const RECT *src1, const RECT *src2 )
         SetRectEmpty( dest );
         return FALSE;
     }
-    *dest = *src1;
     if (IntersectRect( &tmp, src1, src2 ))
     {
-        if (EqualRect( &tmp, dest ))
+        if (EqualRect( &tmp, src1 ))
         {
             SetRectEmpty( dest );
             return FALSE;
         }
+        *dest = *src1;
         if ((tmp.top == dest->top) && (tmp.bottom == dest->bottom))
         {
             if (tmp.left == dest->left) dest->left = tmp.right;
@@ -1440,6 +1440,10 @@ BOOL WINAPI SubtractRect( LPRECT dest, const RECT *src1, const RECT *src2 )
             else if (tmp.bottom == dest->bottom) dest->bottom = tmp.top;
         }
     }
+    else
+    {
+        *dest = *src1;
+    }
     return TRUE;
 }
 
-- 
1.9.0