http://bugs.winehq.org/show_bug.cgi?id=4742
Summary: Message handling in dlls/user/edit.c may crash programs Product: Wine Version: unspecified Platform: PC OS/Version: Linux Status: UNCONFIRMED Severity: major Priority: P2 Component: wine-user AssignedTo: wine-bugs@winehq.org ReportedBy: qingdao33122@yahoo.com
How to reproduce:
1. write a win32 program that use a multiline edit control. 2. try to change the buffer that holds text by following the procedure outlined in http://msdn.microsoft.com/library/default.asp?url=/library/en-us/shellcc/pla...
Your program crashes.
You can also create a VC6 Appwizard program, making sure your View class inherit from CEditView, run the program, then try to load a text file into the edit pane. (winetools users aren't exposed to this problem because MFC handles this differently when in win9x)
Digging a little further into source and now I am fairly certain where the problem lies.
When you send a EM_SETHANDLE message to an edit control, you normally should first free the orginal memory buffer it holds. When EM_SETHANDLE is being processed by EditWndProc_common the HLOCAL for the original buffer may well be invalid. EditWndProc_common seems to call EDIT_LockBuffer before it does anything. In EDIT_LockBuffer I see code like this:
textA = LocalLock(es->hloc32A); countA = strlen(textA) + 1;
The code above didn't check if textA is non-NULL before doing the strlen, that apparently crashes some programs, even beyond the EM_SETHANDLE case.