From ca1340e16dd9a1702276573c60156e1e8918dca8 Mon Sep 17 00:00:00 2001
From: Sebastien Tardif <sebtardif@ncf.ca>
Date: Wed, 24 Jun 2026 09:06:03 -0700
Subject: [PATCH] std: reject interior NULs in Windows Command program name
 (argv0)

make_command_line copied argv0 via encode_wide without ensure_no_nuls.
An embedded wide NUL would truncate the CreateProcessW command line while
args already go through append_arg which checks for NULs. Align argv0 with
make_envp / make_dirp.

Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>
---
 library/std/src/sys/process/windows.rs | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/library/std/src/sys/process/windows.rs b/library/std/src/sys/process/windows.rs
index a747ef048d901..0a381cd8866b7 100644
--- a/library/std/src/sys/process/windows.rs
+++ b/library/std/src/sys/process/windows.rs
@@ -869,6 +869,9 @@ fn make_command_line(argv0: &OsStr, args: &[Arg], force_quotes: bool) -> io::Res
     // the child process parses its arguments.
     // Note that quotes aren't escaped here because they can't be used in arg0.
     // But that's ok because file paths can't contain quotes.
+    // Reject interior NULs: the program name is copied into the wide command
+    // line as-is; an embedded 0 would truncate CreateProcessW / CommandLineToArgvW.
+    let argv0 = ensure_no_nuls(argv0)?;
     cmd.push(b'"' as u16);
     cmd.extend(argv0.encode_wide());
     cmd.push(b'"' as u16);