From 95931fcd365dd393291a6a8d4f4d279f7fd7d8aa Mon Sep 17 00:00:00 2001
From: Alexandre Julliard <julliard@winehq.org>
Date: Tue, 23 Nov 2021 21:00:14 +0100
Subject: [PATCH] ntdll: Fix a buffer overflow in environment variable
 expansion.

Wine-Bug: https://bugs.winehq.org/show_bug.cgi?id=52093
Signed-off-by: Alexandre Julliard <julliard@winehq.org>
---
 dlls/ntdll/unix/env.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/dlls/ntdll/unix/env.c b/dlls/ntdll/unix/env.c
index 24f4fa5a588..0f195a33846 100644
--- a/dlls/ntdll/unix/env.c
+++ b/dlls/ntdll/unix/env.c
@@ -1321,7 +1321,7 @@ static void add_dynamic_environment( WCHAR **env, SIZE_T *pos, SIZE_T *size )
 
 static WCHAR *expand_value( WCHAR *env, SIZE_T size, const WCHAR *src, SIZE_T src_len )
 {
-    SIZE_T len, retlen = src_len, count = 0;
+    SIZE_T len, retlen = src_len + 1, count = 0;
     const WCHAR *var;
     WCHAR *ret;
 
@@ -1364,7 +1364,7 @@ static WCHAR *expand_value( WCHAR *env, SIZE_T size, const WCHAR *src, SIZE_T sr
         }
         if (len >= retlen - count)
         {
-            retlen *= 2;
+            retlen = max( retlen * 2, count + len + 1 );
             ret = realloc( ret, retlen * sizeof(WCHAR) );
         }
         memcpy( ret + count, var, len * sizeof(WCHAR) );