Patch for Bug #9324, Mp3Tag: crash when editing the "Year" field, in some cases

[Unknown]

It seems that the maximal text length in the "year" combo box in Mp3Tag is set
to 4, but if a file with more text in the "Year" field is loaded, it is showed
in the corresponding combo box tough.
This caused a negative string length in a calculation in EDIT_EM_ReplaceSel
function in dlls/user32/edit.c:3208 and a buffer overflow later (line 3236).
The proposed patch ensures that the string length is always >= 0.



 From 769637a6cc7f0ecea60ac775d3685bfe0d2b3956 Mon Sep 17 00:00:00 2001
From: Alex Busenius <the_unknown at gmx.net>
Date: Wed, 15 Aug 2007 05:54:36 +0200
Subject: Fix segfault with comboboxes containing a longer text than 
buffer limit

---
 dlls/user32/edit.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

diff --git a/dlls/user32/edit.c b/dlls/user32/edit.c
index 77ecf32..8adcb4a 100644
--- a/dlls/user32/edit.c
+++ b/dlls/user32/edit.c
@@ -3206,6 +3206,9 @@ static void EDIT_EM_ReplaceSel(EDITSTATE *es, BOOL 
can_undo, LPCWSTR lpsz_replac
     if ((honor_limit) && (es->buffer_limit > 0) && (size > 
es->buffer_limit)) {
         EDIT_NOTIFY_PARENT(es, EN_MAXTEXT);
         strl = es->buffer_limit - (tl - (e-s));
+        /* Buffer limit can be smaller than the actual length of text 
in combobox */
+        if (es->buffer_limit < (tl - (e-s)))
+            strl = 0;
     }
 
     if (!EDIT_MakeFit(es, tl - (e - s) + strl))
-- 
1.5.3.rc4