Alexandre Julliard : ntdll: Fix a buffer overflow in environment variable expansion.
Alexandre Julliard
julliard at winehq.org
Tue Nov 23 16:03:30 CST 2021
Module: wine
Branch: master
Commit: 95931fcd365dd393291a6a8d4f4d279f7fd7d8aa
URL: https://source.winehq.org/git/wine.git/?a=commit;h=95931fcd365dd393291a6a8d4f4d279f7fd7d8aa
Author: Alexandre Julliard <julliard at winehq.org>
Date: Tue Nov 23 21:00:14 2021 +0100
ntdll: Fix a buffer overflow in environment variable expansion.
Wine-Bug: https://bugs.winehq.org/show_bug.cgi?id=52093
Signed-off-by: Alexandre Julliard <julliard at winehq.org>
---
dlls/ntdll/unix/env.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/dlls/ntdll/unix/env.c b/dlls/ntdll/unix/env.c
index 24f4fa5a588..0f195a33846 100644
--- a/dlls/ntdll/unix/env.c
+++ b/dlls/ntdll/unix/env.c
@@ -1321,7 +1321,7 @@ static void add_dynamic_environment( WCHAR **env, SIZE_T *pos, SIZE_T *size )
static WCHAR *expand_value( WCHAR *env, SIZE_T size, const WCHAR *src, SIZE_T src_len )
{
- SIZE_T len, retlen = src_len, count = 0;
+ SIZE_T len, retlen = src_len + 1, count = 0;
const WCHAR *var;
WCHAR *ret;
@@ -1364,7 +1364,7 @@ static WCHAR *expand_value( WCHAR *env, SIZE_T size, const WCHAR *src, SIZE_T sr
}
if (len >= retlen - count)
{
- retlen *= 2;
+ retlen = max( retlen * 2, count + len + 1 );
ret = realloc( ret, retlen * sizeof(WCHAR) );
}
memcpy( ret + count, var, len * sizeof(WCHAR) );
More information about the wine-cvs
mailing list