Dylan Smith : richedit: Handle NULL buffer or 0 buffer length in ME_GetTextEx. - wine-commits

3 Aug 2009

Module: wine
Branch: master
Commit: 3d89e29155dc3a359026caed50840d5a57ab2510
URL:    http://source.winehq.org/git/wine.git/?a=commit;h=3d89e29155dc3a359026caed50...
Author: Dylan Smith dylan.ah.smith@gmail.com
Date:   Thu Jul 30 00:54:13 2009 -0400
richedit: Handle NULL buffer or 0 buffer length in ME_GetTextEx.
ME_GetTextEx directly handles EM_GETTEXTEX, and previously a NULL buffer
would be dereferenced, and a 0 buffer length would cause nCount an
underflow in the nCount value which would allow a buffer overflow to
occur.
---
dlls/riched20/editor.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/dlls/riched20/editor.c b/dlls/riched20/editor.c
index 1e18c10..2a6f908 100644
--- a/dlls/riched20/editor.c
+++ b/dlls/riched20/editor.c
@@ -1863,6 +1863,8 @@ static int ME_GetTextEx(ME_TextEditor *editor, GETTEXTEX *ex, LPARAM pText)
 {
     int nStart, nCount; /* in chars */
+    if (!ex->cb || !pText) return 0;
+
     if (ex->flags & ~(GT_SELECTION | GT_USECRLF))
       FIXME("GETTEXTEX flags 0x%08x not supported\n", ex->flags & ~(GT_SELECTION | GT_USECRLF));

    