From 3e68f602441e7be519f295b9dfa046f90f8eb4db Mon Sep 17 00:00:00 2001
From: Gunnar Dalsnes <hardon@online.no>
Date: Sun, 16 Oct 2005 01:27:32 +0000
Subject: [PATCH] fix two buffer overflows

svn path=/trunk/; revision=18490
---
 reactos/subsys/csrss/init.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/reactos/subsys/csrss/init.c b/reactos/subsys/csrss/init.c
index 9bc8e7de5c0..4237698937e 100644
--- a/reactos/subsys/csrss/init.c
+++ b/reactos/subsys/csrss/init.c
@@ -401,16 +401,21 @@ EnvpToUnicodeString (char ** envp, PUNICODE_STRING UnicodeEnv)
 	AnsiEnv.Buffer = RtlAllocateHeap (RtlGetProcessHeap(), 0, CharCount);
 	if (NULL != AnsiEnv.Buffer)
 	{
+
 		PCHAR WritePos = AnsiEnv.Buffer;
 		
 		for (Index=0; NULL != envp[Index]; Index++)
 		{
-			strcat (WritePos, envp[Index]);
+			strcpy (WritePos, envp[Index]);
 			WritePos += strlen (envp[Index]) + 1;
 		}
-		AnsiEnv.Buffer [CharCount] = '\0';
+
+      /* FIXME: the last (double) nullterm should perhaps not be included in Length
+       * but only in MaximumLength. -Gunnar */
+		AnsiEnv.Buffer [CharCount-1] = '\0';
 		AnsiEnv.Length             = CharCount;
 		AnsiEnv.MaximumLength      = CharCount;
+      
 		RtlAnsiStringToUnicodeString (UnicodeEnv, & AnsiEnv, TRUE);
 		RtlFreeHeap (RtlGetProcessHeap(), 0, AnsiEnv.Buffer);
 	}