http://bugs.winehq.org/show_bug.cgi?id=9324

Summary: Mp3Tag: crash when editing the "Year" field in some cases Product: Wine Version: CVS Platform: PC OS/Version: Linux Status: UNCONFIRMED Severity: normal Priority: P2 Component: wine-comctl32 AssignedTo: wine-bugs@winehq.org ReportedBy: the_unknown@gmx.net

Created an attachment (id=7595) --> (http://bugs.winehq.org/attachment.cgi?id=7595) winedbg output and backtrace after crash

wine 0.9.43 and last git version gcc (GCC) 4.2.0 (Gentoo 4.2.0 p1.4) Linux k8t800 2.6.22-gentoo-r3 #1 PREEMPT Tue Aug 14 17:33:41 CEST 2007 i686 AMD Athlon(tm) 64 Processor 3500+ AuthenticAMD GNU/Linux

How to reproduce: - download Mp3Tag v2.39 from http://www.mp3tag.de/en/download.html - edit the date field of some OGG file with another editor (e.g. via Properties->Meta Info in konqueror) to ensure it has more than 4 symbols in that, e.g. "August 2007" - open it with Mp3Tag - select this file in the list - place the cursor to the beginning of the string "August 2007" in the Year field in tag panel (left panel) - press "Delete" button -> segfault

Relevant part of the winedbg output with some additional trace calls added by me attached.

The problem is absent on Windows.

It seems that the maximal text length in the "year" combo box in Mp3Tag is set to 4, but if a file with more text in the "Year" field is loaded, it is showed in the corresponding combo box tough. This causes a negative string length in a calculation in EDIT_EM_ReplaceSel function in dlls/user32/edit.c:3208 and a buffer overflow later (line 3236).

I've made a patch which seems to work fine and do not cause unneeded side effects, but I'm not very familiar with wine internals so better check it :)

I'll provide additional info if needed.