Module: wine Branch: master Commit: c4b023b1b6d13552e3432f754b1dd3a70b5e5edb URL: http://source.winehq.org/git/wine.git/?a=commit;h=c4b023b1b6d13552e3432f754b...

Author: Dylan Smith dylan.ah.smith@gmail.com Date: Thu Jul 30 00:54:21 2009 -0400

richedit: Prevent buffer overflows in WM_GETTEXT.

The application AutoGK was getting the length of the text with WM_GETTEXTLENGTH to allocate an appropriate buffer size, but then claimed the buffer was twice the size when sending WM_GETTEXTEX. This caused the memcpy call to overflow the actual buffer since the count is based on the size of the buffer alone, regardless of the amount of text retrieved.

---

dlls/riched20/editor.c | 28 ++-------------------------- 1 files changed, 2 insertions(+), 26 deletions(-)

diff --git a/dlls/riched20/editor.c b/dlls/riched20/editor.c index 2a6f908..302ee11 100644 --- a/dlls/riched20/editor.c +++ b/dlls/riched20/editor.c @@ -3544,36 +3544,12 @@ LRESULT ME_HandleMessage(ME_TextEditor *editor, UINT msg, WPARAM wParam, case WM_GETTEXT: { GETTEXTEX ex; - LRESULT rc; - LPSTR bufferA = NULL; - LPWSTR bufferW = NULL; - - if (unicode) - bufferW = heap_alloc((wParam + 2) * sizeof(WCHAR)); - else - bufferA = heap_alloc(wParam + 2); - - ex.cb = (wParam + 2) * (unicode ? sizeof(WCHAR) : sizeof(CHAR)); + ex.cb = wParam * (unicode ? sizeof(WCHAR) : sizeof(CHAR)); ex.flags = GT_USECRLF; ex.codepage = unicode ? 1200 : CP_ACP; ex.lpDefaultChar = NULL; ex.lpUsedDefChar = NULL; - - rc = ME_GetTextEx(editor, &ex, unicode ? (LPARAM)bufferW : (LPARAM)bufferA); - - if (unicode) - { - memcpy((LPWSTR)lParam, bufferW, wParam * sizeof(WCHAR)); - if (strlenW(bufferW) >= wParam) rc = 0; - } - else - { - memcpy((LPSTR)lParam, bufferA, wParam); - if (strlen(bufferA) >= wParam) rc = 0; - } - heap_free(bufferA); - heap_free(bufferW); - return rc; + return ME_GetTextEx(editor, &ex, lParam); } case EM_GETTEXTEX: return ME_GetTextEx(editor, (GETTEXTEX*)wParam, lParam);