From 8baf70a2d04d227de28452c819c48f3bfd5171a4 Mon Sep 17 00:00:00 2001
From: Akihiro Sagawa <sagawa.aki@gmail.com>
Date: Sun, 2 Aug 2020 19:39:58 +0900
Subject: [PATCH] user32: Fix wsprintfA's buffer usage when using %S.

This fixes a regression introduced by
08bf605acb4d319e016a7eafe0c675509445bd4a.
It could lead to stack corruption because ret can be negative when the
output position, p, doesn't point the beginning of the buffer before
the inner loop.

Signed-off-by: Akihiro Sagawa <sagawa.aki@gmail.com>
Signed-off-by: Alexandre Julliard <julliard@winehq.org>
---
 dlls/user32/wsprintf.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dlls/user32/wsprintf.c b/dlls/user32/wsprintf.c
index db02f066342..ac57603b763 100644
--- a/dlls/user32/wsprintf.c
+++ b/dlls/user32/wsprintf.c
@@ -413,8 +413,8 @@ static INT wvsnprintfA( LPSTR buffer, UINT maxlen, LPCSTR spec, __ms_va_list arg
                 {
                     CHAR mb[5]; /* 5 is MB_LEN_MAX */
                     int ret = WideCharToMultiByte( CP_ACP, 0, ptr, 1, mb, sizeof(mb), NULL, NULL );
+                    if (ret > len - i) ret = len - i;
                     i += ret;
-                    if (i > len) ret = len - (p - buffer);
                     memcpy( p, mb, ret );
                     p += ret;
                 }