ui_textedit_delete_selection() could access past the array bounds.
authorCampbell Barton <ideasman42@gmail.com>
Tue, 8 Mar 2011 02:24:29 +0000 (02:24 +0000)
committerCampbell Barton <ideasman42@gmail.com>
Tue, 8 Mar 2011 02:24:29 +0000 (02:24 +0000)
source/blender/editors/interface/interface_handlers.c

index c01eb351fbac0ec2bee07c1f9ebdde4f4188004f..67154a41e32d15c1a6846a80bcf9ef0450589948 100644 (file)
@@ -1254,7 +1254,7 @@ static int ui_textedit_delete_selection(uiBut *but, uiHandleButtonData *data)
        int len= strlen(str);
        int change= 0;
        if(but->selsta != but->selend && len) {
-               memmove( str+but->selsta, str+but->selend, len-but->selsta+1 );
+               memmove( str+but->selsta, str+but->selend, (len - but->selend) + 1 );
                change= 1;
        }