kernel32: fix ExpandEnvironmentStrings to not overflow UNICODE_STRING buffer size (with test)

[Robert Reif]

-------------- next part --------------
diff -p -u -r1.11 environ.c
--- dlls/kernel/environ.c	23 May 2006 12:48:03 -0000	1.11
+++ dlls/kernel/environ.c	19 Aug 2006 17:22:07 -0000
@@ -345,6 +345,11 @@ DWORD WINAPI ExpandEnvironmentStringsW( 
     TRACE("(%s %p %lu)\n", debugstr_w(src), dst, len);
 
     RtlInitUnicodeString(&us_src, src);
+
+    /* make sure we don't overflow maximum UNICODE_STRING size */
+    if (len > 0x7fff)
+        len = 0x7fff;
+
     us_dst.Length = 0;
     us_dst.MaximumLength = len * sizeof(WCHAR);
     us_dst.Buffer = dst;
diff -p -u -r1.12 environ.c
--- dlls/kernel/tests/environ.c	23 May 2006 12:48:07 -0000	1.12
+++ dlls/kernel/tests/environ.c	19 Aug 2006 17:22:08 -0000
@@ -213,9 +213,14 @@ static void test_GetSetEnvironmentVariab
 
 static void test_ExpandEnvironmentStringsA(void)
 {
-    char buf[256], buf1[256];
+    char buf[256], buf1[256], buf2[0x8000];
     DWORD ret_size, ret_size1;
 
+    /* test a large destination size */
+    strcpy(buf, "12345");
+    ret_size = ExpandEnvironmentStringsA(buf, buf2, sizeof(buf2));
+    ok(!strcmp(buf, buf2), "ExpandEnvironmentStrings failed %s vs %s. ret_size = %ld\n", buf, buf2, ret_size);
+
     ret_size1 = GetWindowsDirectoryA(buf1,256);
     ok ((ret_size1 >0) && (ret_size1<256), "GetWindowsDirectory Failed\n");
     ret_size = ExpandEnvironmentStringsA("%SystemRoot%",buf,sizeof(buf));