diff --git a/dlls/kernel/environ.c b/dlls/kernel/environ.c
index 488752553cc..2de9b920f70 100644
--- a/dlls/kernel/environ.c
+++ b/dlls/kernel/environ.c
@@ -345,6 +345,11 @@ DWORD WINAPI ExpandEnvironmentStringsW( LPCWSTR src, LPWSTR dst, DWORD len )
     TRACE("(%s %p %lu)\n", debugstr_w(src), dst, len);
 
     RtlInitUnicodeString(&us_src, src);
+
+    /* make sure we don't overflow maximum UNICODE_STRING size */
+    if (len > 0x7fff)
+        len = 0x7fff;
+
     us_dst.Length = 0;
     us_dst.MaximumLength = len * sizeof(WCHAR);
     us_dst.Buffer = dst;
diff --git a/dlls/kernel/tests/environ.c b/dlls/kernel/tests/environ.c
index 9c041624fe4..c9b8cd9d39d 100644
--- a/dlls/kernel/tests/environ.c
+++ b/dlls/kernel/tests/environ.c
@@ -213,9 +213,14 @@ static void test_GetSetEnvironmentVariableW(void)
 
 static void test_ExpandEnvironmentStringsA(void)
 {
-    char buf[256], buf1[256];
+    char buf[256], buf1[256], buf2[0x8000];
     DWORD ret_size, ret_size1;
 
+    /* test a large destination size */
+    strcpy(buf, "12345");
+    ret_size = ExpandEnvironmentStringsA(buf, buf2, sizeof(buf2));
+    ok(!strcmp(buf, buf2), "ExpandEnvironmentStrings failed %s vs %s. ret_size = %ld\n", buf, buf2, ret_size);
+
     ret_size1 = GetWindowsDirectoryA(buf1,256);
     ok ((ret_size1 >0) && (ret_size1<256), "GetWindowsDirectory Failed\n");
     ret_size = ExpandEnvironmentStringsA("%SystemRoot%",buf,sizeof(buf));