Alexandre Julliard : ntdll: Fix a buffer overflow in environment variable expansion. - wine-commits

23 Nov 2021

Module: wine
Branch: master
Commit: 95931fcd365dd393291a6a8d4f4d279f7fd7d8aa
URL:    https://source.winehq.org/git/wine.git/?a=commit;h=95931fcd365dd393291a6a8d4...
Author: Alexandre Julliard julliard@winehq.org
Date:   Tue Nov 23 21:00:14 2021 +0100
ntdll: Fix a buffer overflow in environment variable expansion.
Wine-Bug: https://bugs.winehq.org/show_bug.cgi?id=52093
Signed-off-by: Alexandre Julliard julliard@winehq.org
---
dlls/ntdll/unix/env.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/dlls/ntdll/unix/env.c b/dlls/ntdll/unix/env.c
index 24f4fa5a588..0f195a33846 100644
--- a/dlls/ntdll/unix/env.c
+++ b/dlls/ntdll/unix/env.c
@@ -1321,7 +1321,7 @@ static void add_dynamic_environment( WCHAR **env, SIZE_T *pos, SIZE_T *size )
static WCHAR *expand_value( WCHAR *env, SIZE_T size, const WCHAR *src, SIZE_T src_len )
 {
-    SIZE_T len, retlen = src_len, count = 0;
+    SIZE_T len, retlen = src_len + 1, count = 0;
     const WCHAR *var;
     WCHAR *ret;
@@ -1364,7 +1364,7 @@ static WCHAR *expand_value( WCHAR *env, SIZE_T size, const WCHAR *src, SIZE_T sr
         }
         if (len >= retlen - count)
         {
-            retlen *= 2;
+            retlen = max( retlen * 2, count + len + 1 );
             ret = realloc( ret, retlen * sizeof(WCHAR) );
         }
         memcpy( ret + count, var, len * sizeof(WCHAR) );

    