Patch for Bug #9324, Mp3Tag: crash when editing the "Year" field,
in some cases
Unknown
the_unknown at gmx.net
Wed Aug 15 12:10:42 CDT 2007
It seems that the maximal text length in the "year" combo box in Mp3Tag is set
to 4, but if a file with more text in the "Year" field is loaded, it is showed
in the corresponding combo box tough.
This caused a negative string length in a calculation in EDIT_EM_ReplaceSel
function in dlls/user32/edit.c:3208 and a buffer overflow later (line 3236).
The proposed patch ensures that the string length is always >= 0.
From 769637a6cc7f0ecea60ac775d3685bfe0d2b3956 Mon Sep 17 00:00:00 2001
From: Alex Busenius <the_unknown at gmx.net>
Date: Wed, 15 Aug 2007 05:54:36 +0200
Subject: Fix segfault with comboboxes containing a longer text than
buffer limit
---
dlls/user32/edit.c | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/dlls/user32/edit.c b/dlls/user32/edit.c
index 77ecf32..8adcb4a 100644
--- a/dlls/user32/edit.c
+++ b/dlls/user32/edit.c
@@ -3206,6 +3206,9 @@ static void EDIT_EM_ReplaceSel(EDITSTATE *es, BOOL
can_undo, LPCWSTR lpsz_replac
if ((honor_limit) && (es->buffer_limit > 0) && (size >
es->buffer_limit)) {
EDIT_NOTIFY_PARENT(es, EN_MAXTEXT);
strl = es->buffer_limit - (tl - (e-s));
+ /* Buffer limit can be smaller than the actual length of text
in combobox */
+ if (es->buffer_limit < (tl - (e-s)))
+ strl = 0;
}
if (!EDIT_MakeFit(es, tl - (e - s) + strl))
--
1.5.3.rc4
More information about the wine-patches
mailing list