Module: wine Branch: master Commit: 9de8ea75645d7092f888ddd7572f35204e672757 URL: http://source.winehq.org/git/wine.git/?a=commit;h=9de8ea75645d7092f888ddd757... Author: Roman Pišl <rpisl(a)seznam.cz> Date: Tue Oct 18 00:34:55 2016 +0200 user32: Fix buffer overflow in EDIT_EM_ReplaceSel(). After EN_MAXTEXT notification, available space may be larger than length of the string. This must be checked and strl must not be set to a value larger than the actual length of the string. Signed-off-by: Roman Pišl <rpisl(a)seznam.cz> Signed-off-by: Alexandre Julliard <julliard(a)winehq.org> --- dlls/user32/edit.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dlls/user32/edit.c b/dlls/user32/edit.c index f5cd3c4..78d78ea 100644 --- a/dlls/user32/edit.c +++ b/dlls/user32/edit.c @@ -2598,7 +2598,7 @@ static void EDIT_EM_ReplaceSel(EDITSTATE *es, BOOL can_undo, LPCWSTR lpsz_replac if (es->buffer_limit < (tl - (e-s))) strl = 0; else - strl = es->buffer_limit - (tl - (e-s)); + strl = min(strl, es->buffer_limit - (tl - (e-s))); } if (!EDIT_MakeFit(es, tl - (e - s) + strl))