From baf79a6a8586eaff697a4346e384431094e0de5f Mon Sep 17 00:00:00 2001
From: Darkvater <darkvater@openttd.org>
Date: Fri, 2 Mar 2007 15:08:28 +0000
Subject: (svn r8975) -Regression: [win32] Possible buffer overflow if unicode
 text is pasted into an input box and needs trimming. The last character was
 wrongly assumed to be of length 1 (tb->maxlength - 1), while a unicode
 character can be up to 4 long.

---
 src/win32.cpp | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

(limited to 'src/win32.cpp')

diff --git a/src/win32.cpp b/src/win32.cpp
index 396c38d82..e6a4f6a27 100644
--- a/src/win32.cpp
+++ b/src/win32.cpp
@@ -1017,16 +1017,16 @@ bool InsertTextBufferClipboard(Textbuf *tb)
 	width = length = 0;
 
 	for (ptr = utf8_buf; (c = Utf8Consume(&ptr)) != '\0';) {
-		byte charwidth;
-
 		if (!IsPrintable(c)) break;
-		if (tb->length + length >= tb->maxlength - 1) break;
-		charwidth = GetCharacterWidth(FS_NORMAL, c);
 
+		size_t len = Utf8CharLen(c);
+		if (tb->length + length >= tb->maxlength - (uint16)len) break;
+
+		byte charwidth = GetCharacterWidth(FS_NORMAL, c);
 		if (tb->maxwidth != 0 && width + tb->width + charwidth > tb->maxwidth) break;
 
 		width += charwidth;
-		length += Utf8CharLen(c);
+		length += len;
 	}
 
 	if (length == 0) return false;
@@ -1038,6 +1038,7 @@ bool InsertTextBufferClipboard(Textbuf *tb)
 
 	tb->length += length;
 	tb->caretpos += length;
+	assert(tb->length < tb->maxlength);
 	tb->buf[tb->length] = '\0'; // terminating zero
 
 	return true;
-- 
cgit v1.2.3-54-g00ecf