[PATCH] user32: Fix buffer overflow in EDIT_EM_ReplaceSel().
Roman Pišl
rpisl at seznam.cz
Mon Oct 17 17:34:55 CDT 2016
After EN_MAXTEXT notification, available space may be larger than
length of the string. This must be checked and strl must not be
set to a value larger than the actual length of the string.
Fixes bug https://bugs.winehq.org/show_bug.cgi?id=23838 (tested)
and probably https://bugs.winehq.org/show_bug.cgi?id=13319.
Signed-off-by: Roman Pišl <rpisl at seznam.cz>
---
dlls/user32/edit.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/dlls/user32/edit.c b/dlls/user32/edit.c
index f5cd3c4..78d78ea 100644
--- a/dlls/user32/edit.c
+++ b/dlls/user32/edit.c
@@ -2598,7 +2598,7 @@ static void EDIT_EM_ReplaceSel(EDITSTATE *es, BOOL can_undo, LPCWSTR lpsz_replac
if (es->buffer_limit < (tl - (e-s)))
strl = 0;
else
- strl = es->buffer_limit - (tl - (e-s));
+ strl = min(strl, es->buffer_limit - (tl - (e-s)));
}
if (!EDIT_MakeFit(es, tl - (e - s) + strl))
--
2.7.4
More information about the wine-patches
mailing list