From 10910ca9e10ceac8f520d0c4e490d5fed441513c Mon Sep 17 00:00:00 2001
From: Katayama Hirofumi MZ <katayama.hirofumi.mz@gmail.com>
Date: Thu, 7 Dec 2017 15:43:22 +0900
Subject: [PATCH] [GDI32] Fix TextOutA multibyte text length overgoing.
 CORE-14070

---
 win32ss/gdi/gdi32/objects/text.c | 30 ++++++++++++++++++++++++++----
 1 file changed, 26 insertions(+), 4 deletions(-)

diff --git a/win32ss/gdi/gdi32/objects/text.c b/win32ss/gdi/gdi32/objects/text.c
index fde5aaf784f..31ee3ca2ff4 100644
--- a/win32ss/gdi/gdi32/objects/text.c
+++ b/win32ss/gdi/gdi32/objects/text.c
@@ -1,3 +1,11 @@
+/*
+ * PROJECT:     ReactOS GDI32
+ * LICENSE:     GPL-2.0+ (https://spdx.org/licenses/GPL-2.0+)
+ * PURPOSE:     Text drawing API.
+ * COPYRIGHT:   Copyright 2014 Timo Kreuzer
+ *              Copyright 2017 Katayama Hirofumi MZ
+ */
+
 #include <precomp.h>
 
 #define NDEBUG
@@ -18,18 +26,32 @@ TextOutA(
     ANSI_STRING StringA;
     UNICODE_STRING StringU;
     BOOL bResult;
+    NTSTATUS Status;
 
-    if (lpString != NULL)
+    if (lpString != NULL && cchString > 0)
     {
-        RtlInitAnsiString(&StringA, (LPSTR)lpString);
-        RtlAnsiStringToUnicodeString(&StringU, &StringA, TRUE);
+        if (cchString > MAXUSHORT)
+            cchString = MAXUSHORT;
+
+        StringA.Length = (USHORT)cchString;
+        StringA.MaximumLength = (USHORT)cchString;
+        StringA.Buffer = (PCHAR)lpString;
+
+        Status = RtlAnsiStringToUnicodeString(&StringU, &StringA, TRUE);
+        if (!NT_SUCCESS(Status))
+        {
+            StringU.Buffer = NULL;
+            StringU.Length = 0;
+        }
     }
     else
     {
         StringU.Buffer = NULL;
+        StringU.Length = 0;
     }
 
-    bResult = TextOutW(hdc, nXStart, nYStart, StringU.Buffer, cchString);
+    bResult = TextOutW(hdc, nXStart, nYStart,
+                       StringU.Buffer, StringU.Length / sizeof(WCHAR));
 
     RtlFreeUnicodeString(&StringU);
     return bResult;