richedit: Handle NULL buffer or 0 buffer length in ME_GetTextEx.
Dylan Smith
dylan.ah.smith at gmail.com
Wed Jul 29 23:54:13 CDT 2009
ME_GetTextEx directly handles EM_GETTEXTEX, and previously a NULL buffer
would be dereferenced, and a 0 buffer length would cause nCount an
underflow in the nCount value which would allow a buffer overflow to
occur.
This patch simply checks for these cases at the start of the function to
handle them appropriately.
---
dlls/riched20/editor.c | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
-------------- next part --------------
diff --git a/dlls/riched20/editor.c b/dlls/riched20/editor.c
index 1e18c10..2a6f908 100644
--- a/dlls/riched20/editor.c
+++ b/dlls/riched20/editor.c
@@ -1863,6 +1863,8 @@ static int ME_GetTextEx(ME_TextEditor *editor, GETTEXTEX *ex, LPARAM pText)
{
int nStart, nCount; /* in chars */
+ if (!ex->cb || !pText) return 0;
+
if (ex->flags & ~(GT_SELECTION | GT_USECRLF))
FIXME("GETTEXTEX flags 0x%08x not supported\n", ex->flags & ~(GT_SELECTION | GT_USECRLF));
More information about the wine-patches
mailing list