diff --git a/dlls/advapi32/registry.c b/dlls/advapi32/registry.c
index 20f6a7c..ead9b1a 100644
--- a/dlls/advapi32/registry.c
+++ b/dlls/advapi32/registry.c
@@ -1217,7 +1217,7 @@ LONG WINAPI RegQueryValueExA( HKEY hkey,
 {
     NTSTATUS status;
     ANSI_STRING nameA;
-    DWORD total_size;
+    DWORD total_size, datalen = 0;
     char buffer[256], *buf_ptr = buffer;
     KEY_VALUE_PARTIAL_INFORMATION *info = (KEY_VALUE_PARTIAL_INFORMATION *)buffer;
     static const int info_size = offsetof( KEY_VALUE_PARTIAL_INFORMATION, Data );
@@ -1228,6 +1228,7 @@ LONG WINAPI RegQueryValueExA( HKEY hkey,
     if ((data && !count) || reserved) return ERROR_INVALID_PARAMETER;
     if (!(hkey = get_special_root_hkey( hkey ))) return ERROR_INVALID_HANDLE;
 
+    if (count) datalen = *count;
     if (!data && count) *count = 0;
 
     /* this matches Win9x behaviour - NT sets *type to a random value */
@@ -1270,21 +1271,21 @@ LONG WINAPI RegQueryValueExA( HKEY hkey,
                                        total_size - info_size );
             if (data && len)
             {
-                if (len > *count) status = STATUS_BUFFER_OVERFLOW;
+                if (len > datalen) status = STATUS_BUFFER_OVERFLOW;
                 else
                 {
                     RtlUnicodeToMultiByteN( (char*)data, len, NULL, (WCHAR *)(buf_ptr + info_size),
                                             total_size - info_size );
                     /* if the type is REG_SZ and data is not 0-terminated
                      * and there is enough space in the buffer NT appends a \0 */
-                    if (len < *count && data[len-1]) data[len] = 0;
+                    if (len < datalen && data[len-1]) data[len] = 0;
                 }
             }
             total_size = len + info_size;
         }
         else if (data)
         {
-            if (total_size - info_size > *count) status = STATUS_BUFFER_OVERFLOW;
+            if (total_size - info_size > datalen) status = STATUS_BUFFER_OVERFLOW;
             else memcpy( data, buf_ptr + info_size, total_size - info_size );
         }
     }
diff --git a/dlls/advapi32/tests/registry.c b/dlls/advapi32/tests/registry.c
index 152c8e7..7c963d8 100644
--- a/dlls/advapi32/tests/registry.c
+++ b/dlls/advapi32/tests/registry.c
@@ -352,6 +352,10 @@ static void test_query_value_ex(void)
     ret = RegQueryValueExA(HKEY_CLASSES_ROOT, "Nonexistent Value", NULL, &type, buffer, &size);
     ok(ret == ERROR_FILE_NOT_FOUND, "expected ERROR_FILE_NOT_FOUND, got %d\n", ret);
     ok(size == sizeof(buffer), "size shouldn't have been changed to %d\n", size);
+
+    size = 4;
+    ret = RegQueryValueExA(hkey_main, "BIN32", NULL, &size, buffer, &size);
+    ok(ret == ERROR_SUCCESS, "expected ERROR_SUCCESS, got %d\n", ret);
 }
 
 static void test_get_value(void)