ntdll: Fix a buffer overflow in environment variable expansion.

Wine-Bug: https://bugs.winehq.org/show_bug.cgi?id=52093Signed-off-by: Alexandre Julliard <julliard@winehq.org>

ntdll: Fix a buffer overflow in environment variable expansion.
95931fcd · Alexandre Julliard · 5784c80b · 95931fcd
Commit 95931fcd authored Nov 23, 2021 by Alexandre Julliard
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 2 deletions

env.c dlls/ntdll/unix/env.c +2 -2

No files found.
--- a/dlls/ntdll/unix/env.c
+++ b/dlls/ntdll/unix/env.c
@@ -1321,7 +1321,7 @@ static void add_dynamic_environment( WCHAR **env, SIZE_T *pos, SIZE_T *size )

 static WCHAR *expand_value( WCHAR *env, SIZE_T size, const WCHAR *src, SIZE_T src_len )
 {
-    SIZE_T len, retlen = src_len, count = 0;
+    SIZE_T len, retlen = src_len + 1, count = 0;
    const WCHAR *var;
    WCHAR *ret;

@@ -1364,7 +1364,7 @@ static WCHAR *expand_value( WCHAR *env, SIZE_T size, const WCHAR *src, SIZE_T sr
        }
        if (len >= retlen - count)
        {
-            retlen *= 2;
+            retlen = max( retlen * 2, count + len + 1 );
            ret = realloc( ret, retlen * sizeof(WCHAR) );
        }
        memcpy( ret + count, var, len * sizeof(WCHAR) );