From: Roman Pišl Subject: [PATCH] user32: Fix buffer overflow in EDIT_EM_ReplaceSel(). Message-Id: <1476743695-13829-1-git-send-email-rpisl@seznam.cz> Date: Tue, 18 Oct 2016 00:34:55 +0200 After EN_MAXTEXT notification, available space may be larger than length of the string. This must be checked and strl must not be set to a value larger than the actual length of the string. Fixes bug https://bugs.winehq.org/show_bug.cgi?id=23838 (tested) and probably https://bugs.winehq.org/show_bug.cgi?id=13319. Signed-off-by: Roman Pišl --- dlls/user32/edit.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dlls/user32/edit.c b/dlls/user32/edit.c index f5cd3c4..78d78ea 100644 --- a/dlls/user32/edit.c +++ b/dlls/user32/edit.c @@ -2598,7 +2598,7 @@ static void EDIT_EM_ReplaceSel(EDITSTATE *es, BOOL can_undo, LPCWSTR lpsz_replac if (es->buffer_limit < (tl - (e-s))) strl = 0; else - strl = es->buffer_limit - (tl - (e-s)); + strl = min(strl, es->buffer_limit - (tl - (e-s))); } if (!EDIT_MakeFit(es, tl - (e - s) + strl)) -- 2.7.4