[Bug 4742] New: Message handling in dlls/user/edit.c may crash programs

[Wine Bugs]

http://bugs.winehq.org/show_bug.cgi?id=4742

           Summary: Message handling in dlls/user/edit.c may crash programs
           Product: Wine
           Version: unspecified
          Platform: PC
        OS/Version: Linux
            Status: UNCONFIRMED
          Severity: major
          Priority: P2
         Component: wine-user
        AssignedTo: wine-bugs at winehq.org
        ReportedBy: qingdao33122 at yahoo.com


How to reproduce:

1. write a win32 program that use a multiline edit control.
2. try to change the buffer that holds text by following the
   procedure outlined in
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/shellcc/platform/commctls/editcontrols/abouteditcontrols.asp

Your program crashes.

You can also create a VC6 Appwizard program, making sure your View
class inherit from CEditView, run the program, then try to load a
text file into the edit pane. (winetools users aren't exposed to this
problem because MFC handles this differently when in win9x)

Digging a little further into source and now I am fairly certain where
the problem lies.

When you send a EM_SETHANDLE message to an edit control, you normally
should first free the orginal memory buffer it holds. When EM_SETHANDLE
is being processed by EditWndProc_common the HLOCAL for the original buffer
may well be invalid. EditWndProc_common seems to call EDIT_LockBuffer before
it does anything. In EDIT_LockBuffer I see code like this:

    textA = LocalLock(es->hloc32A);
    countA = strlen(textA) + 1;

The code above didn't check if textA is non-NULL before doing the strlen,
that apparently crashes some programs, even beyond the EM_SETHANDLE case.

-- 
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.