Fix mbsnrtowcs

mbsnrtowcs writes up to __wn wide characters into wchar_t *__d. The destination
capacity is __b / sizeof(wchar_t) wide characters, but the
else branch clamps __n (source byte limit) to __b (destination byte size).

__wn (the actual output count) is passed through unclamped. Example: __b=8
(dest holds 2 wchar_t), __n=100, __wn=25. The else branch applies (25 <=
100/4), clamps source to 8 bytes, but passes __wn=25 — the function can write
25 wchar_t (100 bytes) into an 8-byte buffer.

The first branch is also wrong: it divides __b (bytes) by sizeof(wchar_t) to
get wchar_t capacity, which is correct for the destination — but the condition
__wn > __n / sizeof(wchar_t) uses integer division that can produce incorrect
routing between branches.

The fix mirrors the already-correct mbsrtowcs pattern: clamp __wn (the output
wide-char count) to the destination's wchar_t capacity, and pass __n (source
byte limit) through unchanged.

1 files changed, 4 insertions, 10 deletions

diff --git a/include/wchar.h b/include/wchar.h
index 9e32720..2036245 100644
--- a/include/wchar.h
+++ b/include/wchar.h
@@ -75,16 +75,10 @@ _FORTIFY_FN(mbsnrtowcs) size_t mbsnrtowcs(wchar_t * _FORTIFY_POS0 __d,
         size_t __b = __bos(__d, 0);
         size_t __r;
 
-        if (__wn > __n / sizeof(wchar_t)) {
-                __b /= sizeof(wchar_t);
-                __r = __orig_mbsnrtowcs(__d, __s, __n, __wn > __b ? __b : __wn, __st);
-                if (__b < __wn && __d && *__s && __r != (size_t)-1)
-                        __builtin_trap();
-        } else {
-                __r = __orig_mbsnrtowcs(__d, __s, __n > __b ? __b : __n, __wn, __st);
-                if (__b < __n && __d && *__s && __r != (size_t)-1)
-                        __builtin_trap();
-        }
+        __b /= sizeof(wchar_t);
+        __r = __orig_mbsnrtowcs(__d, __s, __n, __wn > __b ? __b : __wn, __st);
+        if (__b < __wn && __d && *__s && __r != (size_t)-1)
+                __builtin_trap();
         return __r;
 }
 #endif