From: Roman Pišl <rpisl@seznam.cz>
Subject: [PATCH] user32: Fix buffer overflow in EDIT_EM_ReplaceSel().
Message-Id: <1476743695-13829-1-git-send-email-rpisl@seznam.cz>
Date: Tue, 18 Oct 2016 00:34:55 +0200

After EN_MAXTEXT notification, available space may be larger than
length of the string. This must be checked and strl must not be
set to a value larger than the actual length of the string.

Fixes bug https://bugs.winehq.org/show_bug.cgi?id=23838 (tested)
and probably https://bugs.winehq.org/show_bug.cgi?id=13319.

Signed-off-by: Roman Pišl <rpisl@seznam.cz>
---
 dlls/user32/edit.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dlls/user32/edit.c b/dlls/user32/edit.c
index f5cd3c4..78d78ea 100644
--- a/dlls/user32/edit.c
+++ b/dlls/user32/edit.c
@@ -2598,7 +2598,7 @@ static void EDIT_EM_ReplaceSel(EDITSTATE *es, BOOL can_undo, LPCWSTR lpsz_replac
 		if (es->buffer_limit < (tl - (e-s)))
 			strl = 0;
 		else
-			strl = es->buffer_limit - (tl - (e-s));
+			strl = min(strl, es->buffer_limit - (tl - (e-s)));
 	}
 
 	if (!EDIT_MakeFit(es, tl - (e - s) + strl))

-- 
2.7.4