From 64fbbe388827d729187954f3a0e4a0760ac851ba Mon Sep 17 00:00:00 2001
From: Ali Raza <elirazamumtaz@gmail.com>
Date: Sat, 7 Mar 2026 03:08:57 +0500
Subject: [PATCH] win: add overflow checks in make_program_env()

The env_len accumulator in make_program_env() has no overflow protection.
On 32-bit systems, a large environment block can cause env_len *
sizeof(WCHAR) to wrap size_t, resulting in undersized allocations
followed by heap buffer overflows during the copy passes.

Add overflow checks before both allocation sites (second pass and final
pass) to reject environment blocks that would cause arithmetic overflow.
---
 src/win/process.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/win/process.c b/src/win/process.c
index 696a54ce3..369652c34 100644
--- a/src/win/process.c
+++ b/src/win/process.c
@@ -675,6 +675,8 @@ int make_program_env(char* env_block[], WCHAR** dst_ptr) {
 
   /* second pass: copy to UTF-16 environment block */
   len = env_block_count * sizeof(WCHAR*);
+  if (env_len > (SIZE_MAX - len) / sizeof(WCHAR))
+    return UV_EINVAL;
   p = uv__malloc(len + env_len * sizeof(WCHAR));
   if (p == NULL) {
     return UV_ENOMEM;
@@ -728,6 +730,10 @@ int make_program_env(char* env_block[], WCHAR** dst_ptr) {
   }
 
   /* final pass: copy, in sort order, and inserting required variables */
+  if (env_len > SIZE_MAX / sizeof(WCHAR) - 1) {
+    uv__free(p);
+    return UV_EINVAL;
+  }
   dst = uv__malloc((1+env_len) * sizeof(WCHAR));
   if (!dst) {
     uv__free(p);