richedit: Prevent buffer overflows in WM_GETTEXT.

The application AutoGK was getting the length of the text with
WM_GETTEXTLENGTH to allocate an appropriate buffer size, but then
claimed the buffer was twice the size when sending WM_GETTEXTEX.  This
caused the memcpy call to overflow the actual buffer since the count
is based on the size of the buffer alone, regardless of the amount of
text retrieved.
This commit is contained in:
Dylan Smith 2009-07-30 00:54:21 -04:00 committed by Alexandre Julliard
parent 3d89e29155
commit c4b023b1b6
1 changed files with 2 additions and 26 deletions

View File

@ -3544,36 +3544,12 @@ LRESULT ME_HandleMessage(ME_TextEditor *editor, UINT msg, WPARAM wParam,
case WM_GETTEXT: case WM_GETTEXT:
{ {
GETTEXTEX ex; GETTEXTEX ex;
LRESULT rc; ex.cb = wParam * (unicode ? sizeof(WCHAR) : sizeof(CHAR));
LPSTR bufferA = NULL;
LPWSTR bufferW = NULL;
if (unicode)
bufferW = heap_alloc((wParam + 2) * sizeof(WCHAR));
else
bufferA = heap_alloc(wParam + 2);
ex.cb = (wParam + 2) * (unicode ? sizeof(WCHAR) : sizeof(CHAR));
ex.flags = GT_USECRLF; ex.flags = GT_USECRLF;
ex.codepage = unicode ? 1200 : CP_ACP; ex.codepage = unicode ? 1200 : CP_ACP;
ex.lpDefaultChar = NULL; ex.lpDefaultChar = NULL;
ex.lpUsedDefChar = NULL; ex.lpUsedDefChar = NULL;
return ME_GetTextEx(editor, &ex, lParam);
rc = ME_GetTextEx(editor, &ex, unicode ? (LPARAM)bufferW : (LPARAM)bufferA);
if (unicode)
{
memcpy((LPWSTR)lParam, bufferW, wParam * sizeof(WCHAR));
if (strlenW(bufferW) >= wParam) rc = 0;
}
else
{
memcpy((LPSTR)lParam, bufferA, wParam);
if (strlen(bufferA) >= wParam) rc = 0;
}
heap_free(bufferA);
heap_free(bufferW);
return rc;
} }
case EM_GETTEXTEX: case EM_GETTEXTEX:
return ME_GetTextEx(editor, (GETTEXTEX*)wParam, lParam); return ME_GetTextEx(editor, (GETTEXTEX*)wParam, lParam);