Ensure enough room for NUL terminator in string return values.

2 files changed, 7 insertions, 3 deletions

diff --git a/doc/ScintillaHistory.html b/doc/ScintillaHistory.html
index d02801cf6..a77acf033 100644
--- a/doc/ScintillaHistory.html
+++ b/doc/ScintillaHistory.html
@@ -579,6 +579,9 @@
 	<li>
 	Made compatible with Qt 6.
 	</li>
+	<li>
+	Fix potential issue with length of buffer for string returning APIs in ScintillaEdit on Qt.
+	</li>
     </ul>
     <h3>
        <a href="https://www.scintilla.org/scintilla515.zip">Release 5.1.5</a>
diff --git a/qt/ScintillaEdit/ScintillaEdit.cpp.template b/qt/ScintillaEdit/ScintillaEdit.cpp.template
index 9cebc8300..a46a1d12d 100644
--- a/qt/ScintillaEdit/ScintillaEdit.cpp.template
+++ b/qt/ScintillaEdit/ScintillaEdit.cpp.template
@@ -13,11 +13,12 @@ ScintillaEdit::~ScintillaEdit() {
 }
 
 QByteArray ScintillaEdit::TextReturner(int message, uptr_t wParam) const {
-    int length = send(message, wParam, 0);
-    QByteArray ba(length, '\0');
+    // While Scintilla can return strings longer than maximum(int), QByteArray uses int size
+    const int length = static_cast<int>(send(message, wParam, 0));
+    QByteArray ba(length + 1, '\0');
     send(message, wParam, (sptr_t)ba.data());
     // Remove extra NULs
-    if (ba.size() > 0 && ba.at(ba.size()-1) == 0)
+    if (ba.at(ba.size()-1) == 0)
         ba.chop(1);
     return ba;
 }