user32: Fix buffer overflow in EDIT_EM_ReplaceSel().

After EN_MAXTEXT notification, available space may be larger than length of the string. This must be checked and strl must not be set to a value larger than the actual length of the string. Signed-off-by: Roman Pišl <rpisl@seznam.cz> Signed-off-by: Alexandre Julliard <julliard@winehq.org>

user32: Fix buffer overflow in EDIT_EM_ReplaceSel().
9de8ea75 · Roman Pišl · Alexandre Julliard · 71bd1339 · 9de8ea75
Commit 9de8ea75 authored Oct 18, 2016 by Roman Pišl Committed by Alexandre Julliard Oct 19, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

edit.c dlls/user32/edit.c +1 -1

No files found.
--- a/dlls/user32/edit.c
+++ b/dlls/user32/edit.c
@@ -2598,7 +2598,7 @@ static void EDIT_EM_ReplaceSel(EDITSTATE *es, BOOL can_undo, LPCWSTR lpsz_replac
 		if (es->buffer_limit < (tl - (e-s)))
 			strl = 0;
 		else
-			strl = es->buffer_limit - (tl - (e-s));
+			strl = min(strl, es->buffer_limit - (tl - (e-s)));
 	}

 	if (!EDIT_MakeFit(es, tl - (e - s) + strl))