Standalone portable header-based implementation of FORTIFY_SOURCE=3 http://git.dustri.org/fortify-headers/atom?h=3.0.2 2026-04-30T22:48:04Z 2026-04-30T22:48:04Z jvoisin 2026-04-30T22:48:04Z urn:sha1:e8e2d1214a49f3c268fb5f3a92e8144b23e35243 Apparently, some horrible systems are leaving PATH_MAX *intentionally* undefined, as paths can be unbounded there. We don't want to silently introduced a limit in the trnaslation unit, so let's undefine it at the end of the function. 2026-04-30T22:46:20Z jvoisin 2026-04-30T22:46:20Z urn:sha1:1457895d6b34cf2bfc5fddd56becaa08d4b2edfe 2026-04-30T22:44:53Z jvoisin 2026-04-30T22:36:32Z urn:sha1:ddd22b2f533db9c0da0bb262fbafa51f67c8587e Previously, no checks were done when __n <= __b, but strncat _appends_ after existing content, making this a overly broad check check. For example, with an 8-byte buffer containing "12345\0", strncat(buf, "ABCD", 4) would have the check skipped, but the result "12345ABCD\0" is 10 bytes, resulting in an overflow. This commit fixes this oversight, and adds a bunch of tests. 2026-04-30T16:06:56Z jvoisin 2026-04-30T16:06:56Z urn:sha1:d6105aba5fd791e8d3f069e771517cdb947b5604 mbsnrtowcs writes up to __wn wide characters into wchar_t *__d. The destination capacity is __b / sizeof(wchar_t) wide characters, but the else branch clamps __n (source byte limit) to __b (destination byte size). __wn (the actual output count) is passed through unclamped. Example: __b=8 (dest holds 2 wchar_t), __n=100, __wn=25. The else branch applies (25 <= 100/4), clamps source to 8 bytes, but passes __wn=25 — the function can write 25 wchar_t (100 bytes) into an 8-byte buffer. The first branch is also wrong: it divides __b (bytes) by sizeof(wchar_t) to get wchar_t capacity, which is correct for the destination — but the condition __wn > __n / sizeof(wchar_t) uses integer division that can produce incorrect routing between branches. The fix mirrors the already-correct mbsrtowcs pattern: clamp __wn (the output wide-char count) to the destination's wchar_t capacity, and pass __n (source byte limit) through unchanged. 2026-04-30T15:57:51Z jvoisin 2026-04-30T15:57:51Z urn:sha1:7fecafe015505c0ebd47780050118ff789a9ae3f 2026-04-30T15:50:27Z jvoisin 2026-04-30T15:50:27Z urn:sha1:dfdf53df99c8f59e5e3a4296c455041bee96a88d Like it's already done for memcpy and memmove. Add tests as well, to prove that nothing broke. 2026-04-30T15:42:29Z jvoisin 2026-04-30T15:42:29Z urn:sha1:f9239e2c0f0be9856322727887a45333683940a6 __d is a char * destination buffer, so __b is already the byte capacity. Dividing by sizeof(wchar_t) makes no sense here, it was likely copy-pasted from mbsnrtowcs (where the destination is wchar_t *). The first branch also fails to limit __n (the byte write cap) to __b, so overflows are possible when a wide character produces multi-byte output. The second branch (else) correctly limits __n to __b. This commit replaces the broken two-branch logic with the simple correct pattern matching wcsrtombs, and adds two tests two prove that nothing broke. 2026-04-30T15:37:02Z jvoisin 2026-04-30T15:37:02Z urn:sha1:6040b4a27409968c764353a98c45d972cfd89a8a The manpage says that stpncpy will "copy non-null bytes from the string pointed to by src into the array pointed to by dst.", it doesn't add a terminal NULL byte, so we shouldn't check for it. 2026-04-30T10:57:02Z Sertonix 2026-04-30T10:32:01Z urn:sha1:b9121e4d679b5fccb69abcb58b05a6be5c7191dc Fixes bf242b15e1f7 2026-04-20T21:15:31Z Sertonix 2026-04-15T14:41:46Z urn:sha1:5ac7e1b695281ebdcfe365176d40053764d44684 gcc does not seem to reliably notice that the if condition makes overflows impossible in the code. To please the compiler we can use the __bos flag to return 0 (instead of -1) when the size is unknown. Fixes https://github.com/jvoisin/fortify-headers/issues/62 Fixes https://github.com/jvoisin/fortify-headers/issues/68 Fixes https://github.com/jvoisin/fortify-headers/issues/80