Hi ,

I have found, the undo_buffer_size for the realoated undo_buffer in controls\edit.c was invalid remembered, it was one to high (alloc_size/sizeof(WCHAR)). It must be alloc_size/sizeof(WCHAR) - 1. After second realloc and many(32) delete backwards was the word after the undo_buffer overwritten. Has the first allocated undo_buffer_size the VALUE from 15, so is the VALUE from undo_buffer_size after reallocation 32, not 31.

Dietrich (from odin)

/********************************************************************* * * EDIT_MakeUndoFit * * Try to fit size + 1 bytes in the undo buffer. * */ static BOOL EDIT_MakeUndoFit(EDITSTATE *es, UINT size) { UINT alloc_size;

if (size <= es->undo_buffer_size) return TRUE;

TRACE("trying to ReAlloc to %d+1\n", size);

alloc_size = ROUND_TO_GROW((size + 1) * sizeof(WCHAR)); if ((es->undo_text = HeapReAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, es->undo_text, alloc_size))) { es->undo_buffer_size = alloc_size/sizeof(WCHAR) - 1; ------------------------------------------------------------------> return TRUE; } else { WARN("FAILED ! We now have %d+1\n", es->undo_buffer_size); return FALSE; } }