From f3b8ccb2f79c9b4801493898a63a2520bc43afd4 Mon Sep 17 00:00:00 2001
From: Jacek Caban <jacek@codeweavers.com>
Date: Thu, 24 Sep 2020 17:26:51 +0200
Subject: [PATCH] conhost: Improve bound checking in fill_output.

Inspired by Pengpeng Dong's patch.

Signed-off-by: Jacek Caban <jacek@codeweavers.com>
Signed-off-by: Alexandre Julliard <julliard@winehq.org>
---
 programs/conhost/conhost.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/programs/conhost/conhost.c b/programs/conhost/conhost.c
index ed528385286..61346a38179 100644
--- a/programs/conhost/conhost.c
+++ b/programs/conhost/conhost.c
@@ -2168,9 +2168,9 @@ static NTSTATUS fill_output( struct screen_buffer *screen_buffer, const struct c
 
     TRACE( "(%u %u) mode %u\n", params->x, params->y, params->mode );
 
-    dest = screen_buffer->data + params->y * screen_buffer->width + params->x;
-
     if (params->y >= screen_buffer->height) return STATUS_SUCCESS;
+    dest = screen_buffer->data + min( params->y * screen_buffer->width + params->x,
+                                      screen_buffer->height * screen_buffer->width );
 
     if (params->wrap)
         end = screen_buffer->data + screen_buffer->height * screen_buffer->width;