Standalone portable header-based implementation of FORTIFY_SOURCE=3 http://git.dustri.org/fortify-headers/atom?h=master 2026-04-30T22:44:53Z 2026-04-30T22:44:53Z jvoisin 2026-04-30T22:36:32Z urn:sha1:ddd22b2f533db9c0da0bb262fbafa51f67c8587e Previously, no checks were done when __n <= __b, but strncat _appends_ after existing content, making this a overly broad check check. For example, with an 8-byte buffer containing "12345\0", strncat(buf, "ABCD", 4) would have the check skipped, but the result "12345ABCD\0" is 10 bytes, resulting in an overflow. This commit fixes this oversight, and adds a bunch of tests. 2026-04-30T16:06:56Z jvoisin 2026-04-30T16:06:56Z urn:sha1:d6105aba5fd791e8d3f069e771517cdb947b5604 mbsnrtowcs writes up to __wn wide characters into wchar_t *__d. The destination capacity is __b / sizeof(wchar_t) wide characters, but the else branch clamps __n (source byte limit) to __b (destination byte size). __wn (the actual output count) is passed through unclamped. Example: __b=8 (dest holds 2 wchar_t), __n=100, __wn=25. The else branch applies (25 <= 100/4), clamps source to 8 bytes, but passes __wn=25 — the function can write 25 wchar_t (100 bytes) into an 8-byte buffer. The first branch is also wrong: it divides __b (bytes) by sizeof(wchar_t) to get wchar_t capacity, which is correct for the destination — but the condition __wn > __n / sizeof(wchar_t) uses integer division that can produce incorrect routing between branches. The fix mirrors the already-correct mbsrtowcs pattern: clamp __wn (the output wide-char count) to the destination's wchar_t capacity, and pass __n (source byte limit) through unchanged. 2026-04-30T15:50:27Z jvoisin 2026-04-30T15:50:27Z urn:sha1:dfdf53df99c8f59e5e3a4296c455041bee96a88d Like it's already done for memcpy and memmove. Add tests as well, to prove that nothing broke. 2026-04-30T15:42:29Z jvoisin 2026-04-30T15:42:29Z urn:sha1:f9239e2c0f0be9856322727887a45333683940a6 __d is a char * destination buffer, so __b is already the byte capacity. Dividing by sizeof(wchar_t) makes no sense here, it was likely copy-pasted from mbsnrtowcs (where the destination is wchar_t *). The first branch also fails to limit __n (the byte write cap) to __b, so overflows are possible when a wide character produces multi-byte output. The second branch (else) correctly limits __n to __b. This commit replaces the broken two-branch logic with the simple correct pattern matching wcsrtombs, and adds two tests two prove that nothing broke. 2025-11-10T22:55:25Z jvoisin 2025-10-31T20:08:47Z urn:sha1:bc2641769ec3019ab7d794b032a6e36030581c76 It's unfortunately valid to pass a buffer smaller than MB_CUR_MAX to wctomb, so let's not trap on this. Moreover, it's supposed to be implemented in stdlib.h and not wchar.h anyway. 2025-10-31T21:16:21Z Daniel Kolesa 2022-10-25T22:30:00Z urn:sha1:f46714c2f9eb13c12c8218f1b7c045182041fdc9 Co-Authored-By: jvoisin <julien.voisin@dustri.org> 2025-10-31T21:16:21Z Daniel Kolesa 2022-11-01T19:14:54Z urn:sha1:8915dc13de44fed3a076a9fd51eb1ab2b5502d7b It seems useless and triggers 'error: expected external declaration' 2025-10-31T21:16:21Z jvoisin 2023-03-18T13:01:02Z urn:sha1:249492e08adbf034976770ab3b021ba093a2ab18 GCC and Clang provide __builtin_dynamic_object_size (see documentation: https://gcc.gnu.org/onlinedocs/gcc/Object-Size-Checking.html), so we should make use of it when its available. 2019-03-07T00:05:34Z info@mobile-stream.com 2019-03-06T13:28:48Z urn:sha1:9b796691eb794e9f5279886e917c028a09f8a728 This allows the compiler to optimize out the slow/trap path at all for the typical correct code: char buf[MB_LEN_MAX]; r = wctomb(buf, c); The change tries to keep the "unknown object size" case handling in wcrtomb() as is even if it seems redundant and not helping (we copy __buf to possibly undersized __s in any case) and inconsistent with wctomb() (where we let the original library method itself overwrite the possibly undersized __s). 2019-02-25T13:17:08Z sin 2019-02-25T13:01:12Z urn:sha1:5aabc7e6aad28327d75671e52c50060e4543112c