Esme Povirk (@madewokherd) commented about dlls/uiautomationcore/uia_client.c:
+ if (desc_len <= cur_len) + return hr; + + if (desc_len >= max_len) + { + hr = E_OUTOFMEMORY; + goto exit; + } + + new_len = max(1, cur_len); + while (new_len < desc_len && new_len <= (max_len / 2)) + new_len *= 2; + if (new_len < desc_len) + new_len = desc_len; + + if (!SysReAllocStringLen(desc, NULL, new_len)) This doesn't seem right to me. BSTR's aren't really NULL-terminated, the allocated length is the length of the string. The terminator is just there for compatibility.
Also, I would probably have written a `bstrcat_realloc()` sort of function to deal with this (or even an sprintf wrapper but that's more complicated because of varags). -- https://gitlab.winehq.org/wine/wine/-/merge_requests/2470#note_27807