From a07514b0406a64dbea20869cb87e46115e60087c Mon Sep 17 00:00:00 2001
From: Fabrice Le Fessant <fabrice.le_fessant@ocamlpro.com>
Date: Fri, 15 Dec 2023 08:36:43 +0100
Subject: [PATCH] Fix potention buffer overflow bug in cob_expand_env_string

---
 libcob/ChangeLog | 1 +
 libcob/common.c  | 7 ++++---
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/libcob/ChangeLog b/libcob/ChangeLog
index 1cc363496..7fcfdb58f 100644
--- a/libcob/ChangeLog
+++ b/libcob/ChangeLog
@@ -2,6 +2,7 @@
 2023-11-29  Fabrice Le Fessant <fabrice.le_fessant@ocamlpro.com>
 
 	* common.c (cob_get_strerror), coblocal.h: export as utility function
+	* common.c (cob_expand_env_string): fix potention buffer overflow
 
 2023-07-28  Simon Sobisch <simonsobisch@gnu.org>
 
diff --git a/libcob/common.c b/libcob/common.c
index d2ac8b429..24cb0513c 100644
--- a/libcob/common.c
+++ b/libcob/common.c
@@ -7785,9 +7785,10 @@ cob_expand_env_string (char *strval)
 				}
 			}
 			if (penv != NULL) {
-				if ((strlen (penv) + j) > (envlen - 128)) {
-					env = cob_realloc (env, envlen, strlen (penv) + 256);
-					envlen = strlen (penv) + 256;
+				size_t copy_len = strlen (penv);
+				if (copy_len + j + 128 > envlen) {
+					env = cob_realloc (env, envlen, j + copy_len + 256);
+					envlen = j + copy_len + 256;
 				}
 				j += sprintf (&env[j], "%s", penv);
 				penv = NULL;