https://bugs.winehq.org/show_bug.cgi?id=49314
--- Comment #5 from esteve.varela@gmail.com --- Tracking down that commit, and messing around with the differences in the code before and after, this change seems to fix it:
diff --git a/dlls/ntdll/env.c b/dlls/ntdll/env.c index f8b243154b..8d5d86e48c 100644 --- a/dlls/ntdll/env.c +++ b/dlls/ntdll/env.c @@ -810,9 +810,9 @@ static void build_command_line( WCHAR **argv, UNICODE_STRING *cmdline ) LPWSTR p;
len = 1; - for (arg = argv; *arg; arg++) len += 3 + 2 * wcslen( *arg ); + for (arg = argv; *arg; arg++) len += 3 + wcslen( *arg ); cmdline->MaximumLength = len * sizeof(WCHAR); - if (!(cmdline->Buffer = RtlAllocateHeap( GetProcessHeap(), 0, cmdline->MaximumLength ))) return; + if (!(cmdline->Buffer = RtlAllocateHeap( GetProcessHeap(), 0, len * sizeof(WCHAR) ))) return;
p = cmdline->Buffer; for (arg = argv; *arg; arg++)
This probably isn't a "proper" fix but it works well enough to not segfault. I suppose the "MaximumLength" value overflows for some reason, and should be bounds-checked. I wonder if this is a security issue?