diff -up sudo-1.8.6p3/common/lbuf.c.lbufexpandcode sudo-1.8.6p3/common/lbuf.c
--- sudo-1.8.6p3/common/lbuf.c.lbufexpandcode	2013-08-12 17:28:52.429562473 +0200
+++ sudo-1.8.6p3/common/lbuf.c	2013-08-12 17:29:21.486668465 +0200
@@ -77,6 +77,17 @@ lbuf_destroy(struct lbuf *lbuf)
     debug_return;
 }
 
+static void
+lbuf_expand(struct lbuf *lbuf, size_t extra)
+{
+    if (lbuf->len + extra + 1 >= lbuf->size) {
+	do {
+	    lbuf->size += 256;
+	} while (lbuf->len + extra + 1 >= lbuf->size);
+	lbuf->buf = erealloc(lbuf->buf, lbuf->size);
+    }
+}
+
 /*
  * Parse the format and append strings, only %s and %% escapes are supported.
  * Any characters in set are quoted with a backslash.
@@ -86,47 +97,40 @@ lbuf_append_quoted(struct lbuf *lbuf, co
 {
     va_list ap;
     int len;
-    char *cp, *s = NULL;
+    char *cp, *s;
     debug_decl(lbuf_append_quoted, SUDO_DEBUG_UTIL)
 
     va_start(ap, fmt);
     while (*fmt != '\0') {
-	len = 1;
 	if (fmt[0] == '%' && fmt[1] == 's') {
-	    s = va_arg(ap, char *);
-	    len = strlen(s);
-	}
-	/* Assume worst case that all chars must be escaped. */
-	if (lbuf->len + (len * 2) + 1 >= lbuf->size) {
-	    do {
-		lbuf->size += 256;
-	    } while (lbuf->len + len + 1 >= lbuf->size);
-	    lbuf->buf = erealloc(lbuf->buf, lbuf->size);
-	}
-	if (*fmt == '%') {
-	    if (*(++fmt) == 's') {
-		while ((cp = strpbrk(s, set)) != NULL) {
-		    len = (int)(cp - s);
-		    memcpy(lbuf->buf + lbuf->len, s, len);
-		    lbuf->len += len;
-		    lbuf->buf[lbuf->len++] = '\\';
-		    lbuf->buf[lbuf->len++] = *cp;
-		    s = cp + 1;
-		}
-		if (*s != '\0') {
-		    len = strlen(s);
-		    memcpy(lbuf->buf + lbuf->len, s, len);
-		    lbuf->len += len;
-		}
-		fmt++;
-		continue;
+	    if ((s = va_arg(ap, char *)) == NULL)
+		goto done;
+	    while ((cp = strpbrk(s, set)) != NULL) {
+		len = (int)(cp - s);
+		lbuf_expand(lbuf, len + 2);
+		memcpy(lbuf->buf + lbuf->len, s, len);
+		lbuf->len += len;
+		lbuf->buf[lbuf->len++] = '\\';
+		lbuf->buf[lbuf->len++] = *cp;
+		s = cp + 1;
 	    }
+	    if (*s != '\0') {
+		len = strlen(s);
+		lbuf_expand(lbuf, len);
+		memcpy(lbuf->buf + lbuf->len, s, len);
+		lbuf->len += len;
+	    }
+	    fmt += 2;
+	    continue;
 	}
+	lbuf_expand(lbuf, 2);
 	if (strchr(set, *fmt) != NULL)
 	    lbuf->buf[lbuf->len++] = '\\';
 	lbuf->buf[lbuf->len++] = *fmt++;
     }
-    lbuf->buf[lbuf->len] = '\0';
+done:
+    if (lbuf->size != 0)
+	lbuf->buf[lbuf->len] = '\0';
     va_end(ap);
 
     debug_return;
@@ -140,33 +144,27 @@ lbuf_append(struct lbuf *lbuf, const cha
 {
     va_list ap;
     int len;
-    char *s = NULL;
+    char *s;
     debug_decl(lbuf_append, SUDO_DEBUG_UTIL)
 
     va_start(ap, fmt);
     while (*fmt != '\0') {
-	len = 1;
 	if (fmt[0] == '%' && fmt[1] == 's') {
-	    s = va_arg(ap, char *);
+	    if ((s = va_arg(ap, char *)) == NULL)
+		goto done;
 	    len = strlen(s);
+	    lbuf_expand(lbuf, len);
+	    memcpy(lbuf->buf + lbuf->len, s, len);
+	    lbuf->len += len;
+	    fmt += 2;
+	    continue;
 	}
-	if (lbuf->len + len + 1 >= lbuf->size) {
-	    do {
-		lbuf->size += 256;
-	    } while (lbuf->len + len + 1 >= lbuf->size);
-	    lbuf->buf = erealloc(lbuf->buf, lbuf->size);
-	}
-	if (*fmt == '%') {
-	    if (*(++fmt) == 's') {
-		memcpy(lbuf->buf + lbuf->len, s, len);
-		lbuf->len += len;
-		fmt++;
-		continue;
-	    }
-	}
+	lbuf_expand(lbuf, 1);
 	lbuf->buf[lbuf->len++] = *fmt++;
     }
-    lbuf->buf[lbuf->len] = '\0';
+done:
+    if (lbuf->size != 0)
+	lbuf->buf[lbuf->len] = '\0';
     va_end(ap);
 
     debug_return;