Commit c4b023b1 authored by Dylan Smith's avatar Dylan Smith Committed by Alexandre Julliard

richedit: Prevent buffer overflows in WM_GETTEXT.

The application AutoGK was getting the length of the text with WM_GETTEXTLENGTH to allocate an appropriate buffer size, but then claimed the buffer was twice the size when sending WM_GETTEXTEX. This caused the memcpy call to overflow the actual buffer since the count is based on the size of the buffer alone, regardless of the amount of text retrieved.
parent 3d89e291
...@@ -3544,36 +3544,12 @@ LRESULT ME_HandleMessage(ME_TextEditor *editor, UINT msg, WPARAM wParam, ...@@ -3544,36 +3544,12 @@ LRESULT ME_HandleMessage(ME_TextEditor *editor, UINT msg, WPARAM wParam,
case WM_GETTEXT: case WM_GETTEXT:
{ {
GETTEXTEX ex; GETTEXTEX ex;
LRESULT rc; ex.cb = wParam * (unicode ? sizeof(WCHAR) : sizeof(CHAR));
LPSTR bufferA = NULL;
LPWSTR bufferW = NULL;
if (unicode)
bufferW = heap_alloc((wParam + 2) * sizeof(WCHAR));
else
bufferA = heap_alloc(wParam + 2);
ex.cb = (wParam + 2) * (unicode ? sizeof(WCHAR) : sizeof(CHAR));
ex.flags = GT_USECRLF; ex.flags = GT_USECRLF;
ex.codepage = unicode ? 1200 : CP_ACP; ex.codepage = unicode ? 1200 : CP_ACP;
ex.lpDefaultChar = NULL; ex.lpDefaultChar = NULL;
ex.lpUsedDefChar = NULL; ex.lpUsedDefChar = NULL;
return ME_GetTextEx(editor, &ex, lParam);
rc = ME_GetTextEx(editor, &ex, unicode ? (LPARAM)bufferW : (LPARAM)bufferA);
if (unicode)
{
memcpy((LPWSTR)lParam, bufferW, wParam * sizeof(WCHAR));
if (strlenW(bufferW) >= wParam) rc = 0;
}
else
{
memcpy((LPSTR)lParam, bufferA, wParam);
if (strlen(bufferA) >= wParam) rc = 0;
}
heap_free(bufferA);
heap_free(bufferW);
return rc;
} }
case EM_GETTEXTEX: case EM_GETTEXTEX:
return ME_GetTextEx(editor, (GETTEXTEX*)wParam, lParam); return ME_GetTextEx(editor, (GETTEXTEX*)wParam, lParam);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment