From be7d79768e0b24e57149db96b85d37039bfc512a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marcin=20Jab=C5=82o=C5=84ski?= <nnxcomputing@gmail.com>
Date: Wed, 26 Mar 2025 10:32:17 +0100
Subject: [PATCH] [COMCTL32] Fix a heap corruption in EDIT_EM_ReplaceSel
 (#7598)

https://jira.reactos.org/browse/CORE-19743
---
 dll/win32/comctl32/edit.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/dll/win32/comctl32/edit.c b/dll/win32/comctl32/edit.c
index 767a63942f9..36286b92161 100644
--- a/dll/win32/comctl32/edit.c
+++ b/dll/win32/comctl32/edit.c
@@ -2591,7 +2591,11 @@ static void EDIT_EM_ReplaceSel(EDITSTATE *es, BOOL can_undo, const WCHAR *lpsz_r
 		EDIT_CalcLineWidth_SL(es);
 		/* remove chars that don't fit */
 		if (honor_limit && !(es->style & ES_AUTOHSCROLL) && (es->text_width > fw)) {
+#ifdef __REACTOS__
+			while ((es->text_width > fw) && s + strl > 0) {
+#else
 			while ((es->text_width > fw) && s + strl >= s) {
+#endif
 				lstrcpyW(es->text + s + strl - 1, es->text + s + strl);
 				strl--;
 				es->text_length = -1;