richedit: Prevent buffer overflows in WM_GETTEXT.

The application AutoGK was getting the length of the text with WM_GETTEXTLENGTH to allocate an appropriate buffer size, but then claimed the buffer was twice the size when sending WM_GETTEXTEX. This caused the memcpy call to overflow the actual buffer since the count is based on the size of the buffer alone, regardless of the amount of text retrieved.

richedit: Prevent buffer overflows in WM_GETTEXT.
c4b023b1 · Dylan Smith · Alexandre Julliard · 3d89e291 · c4b023b1
Commit c4b023b1 authored Jul 30, 2009 by Dylan Smith Committed by Alexandre Julliard Aug 03, 2009
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 26 deletions

editor.c dlls/riched20/editor.c +2 -26

No files found.
--- a/dlls/riched20/editor.c
+++ b/dlls/riched20/editor.c
@@ -3544,36 +3544,12 @@ LRESULT ME_HandleMessage(ME_TextEditor *editor, UINT msg, WPARAM wParam,
  case WM_GETTEXT:
  {
    GETTEXTEX ex;
-    LRESULT rc;
-    LPSTR bufferA = NULL;
-    LPWSTR bufferW = NULL;
-
-    if (unicode)
-        bufferW = heap_alloc((wParam + 2) * sizeof(WCHAR));
-    else
-        bufferA = heap_alloc(wParam + 2);
-
-    ex.cb = (wParam + 2) * (unicode ? sizeof(WCHAR) : sizeof(CHAR));
+    ex.cb = wParam * (unicode ? sizeof(WCHAR) : sizeof(CHAR));
    ex.flags = GT_USECRLF;
    ex.codepage = unicode ? 1200 : CP_ACP;
    ex.lpDefaultChar = NULL;
    ex.lpUsedDefChar = NULL;
-
-    rc = ME_GetTextEx(editor, &ex, unicode ? (LPARAM)bufferW : (LPARAM)bufferA);
-
-    if (unicode)
-    {
-        memcpy((LPWSTR)lParam, bufferW, wParam * sizeof(WCHAR));
-        if (strlenW(bufferW) >= wParam) rc = 0;
-    }
-    else
-    {
-        memcpy((LPSTR)lParam, bufferA, wParam);
-        if (strlen(bufferA) >= wParam) rc = 0;
-    }
-    heap_free(bufferA);
-    heap_free(bufferW);
-    return rc;
+    return ME_GetTextEx(editor, &ex, lParam);
  }
  case EM_GETTEXTEX:
    return ME_GetTextEx(editor, (GETTEXTEX*)wParam, lParam);