comctl32: tooltips: avoid buffer overrun (spotted by, bug #8361), make sure some strings are NUL-terminated

Alexandre Julliard julliard at
Thu Jul 19 06:01:00 CDT 2007

Mikołaj Zalewski <mikolaj at> writes:

> @@ -389,10 +390,10 @@ static void TOOLTIPS_GetDispInfoW(HWND hwnd, TOOLTIPS_INFO *infoPtr, TTTOOL_INFO
>                  sizeof(ttnmdi.szText)/sizeof(ttnmdi.szText[0]) : INFOTIPSIZE-1;
>          lstrcpynW(infoPtr->szTipText, ttnmdi.lpszText, max_len);
>          if (ttnmdi.uFlags & TTF_DI_SETITEM) {
> -            INT len = max(strlenW(ttnmdi.lpszText), max_len);
> +            INT len = min(strlenW(ttnmdi.lpszText), max_len);

It the text is really allowed to not be null-terminated then calling
strlenW on it is wrong in any case. It does seem surprising though,
are you sure we really need to support this?

Alexandre Julliard
julliard at

More information about the wine-devel mailing list