Fix strncat/wcsncat

Previously, no checks were done when __n <= __b, but strncat _appends_ after existing content, making this a overly broad check check. For example, with an 8-byte buffer containing "12345\0", strncat(buf, "ABCD", 4) would have the check skipped, but the result "12345ABCD\0" is 10 bytes, resulting in an overflow. This commit fixes this oversight, and adds a bunch of tests.
author: jvoisin 2026-05-01 00:36:32 +0200
committer: jvoisin 2026-05-01 00:44:53 +0200
commit: ddd22b2f533db9c0da0bb262fbafa51f67c8587e (patch)
tree: d319dab03de20929f95ccf7f9bec8c428ab6a66b /include
parent: d6105aba5fd791e8d3f069e771517cdb947b5604 (diff)
2 files changed, 12 insertions, 16 deletions
diff --git a/include/string.h b/include/string.h
index 23f598c..44206f0 100644
--- a/include/string.h
+++ b/include/string.h
@@ -140,14 +140,12 @@ _FORTIFY_FN(strncat) char *strncat(char * _FORTIFY_POS0 __d, const char *__s,
        size_t __b = __bos(__d, 0);
        size_t __sl, __dl;
-        if (__n > __b) {
+        __sl = strlen(__s);
-                __sl = strlen(__s);
+        __dl = strlen(__d);
-                __dl = strlen(__d);
+        if (__sl > __n)
-                if (__sl > __n)
+                __sl = __n;
-                        __sl = __n;
+        if (__sl + __dl + 1 > __b)
-                if (__sl + __dl + 1 > __b)
+                __builtin_trap();
-                        __builtin_trap();
-        }
        return __orig_strncat(__d, __s, __n);
 }
diff --git a/include/wchar.h b/include/wchar.h
index 2036245..4346023 100644
--- a/include/wchar.h
+++ b/include/wchar.h
@@ -153,14 +153,12 @@ _FORTIFY_FN(wcsncat) wchar_t *wcsncat(wchar_t * _FORTIFY_POS0 __d,
        size_t __b = __bos(__d, 0);
        size_t __sl, __dl;
-        if (__n > __b / sizeof(wchar_t)) {
+        __sl = wcslen(__s);
-                __sl = wcslen(__s);
+        __dl = wcslen(__d);
-                __dl = wcslen(__d);
+        if (__sl > __n)
-                if (__sl > __n)
+                __sl = __n;
-                        __sl = __n;
+        if (__sl + __dl + 1 > __b / sizeof(wchar_t))
-                if (__sl + __dl + 1 > __b / sizeof(wchar_t))
+                __builtin_trap();
-                        __builtin_trap();
-        }
        return __orig_wcsncat(__d, __s, __n);
 }
author	jvoisin	2026-05-01 00:36:32 +0200
committer	jvoisin	2026-05-01 00:44:53 +0200
commit	ddd22b2f533db9c0da0bb262fbafa51f67c8587e (patch)
tree	d319dab03de20929f95ccf7f9bec8c428ab6a66b /include
parent	d6105aba5fd791e8d3f069e771517cdb947b5604 (diff)

diff --git a/include/string.h b/include/string.h index 23f598c..44206f0 100644 --- a/include/string.h +++ b/include/string.h
@@ -140,14 +140,12 @@ _FORTIFY_FN(strncat) char strncat(char _FORTIFY_POS0 __d, const char *__s,
140	size_t __b = __bos(__d, 0);	140	size_t __b = __bos(__d, 0);
141	size_t __sl, __dl;	141	size_t __sl, __dl;
142		142
143	if (__n > __b) {	143	__sl = strlen(__s);
144	__sl = strlen(__s);	144	__dl = strlen(__d);
145	__dl = strlen(__d);	145	if (__sl > __n)
146	if (__sl > __n)	146	__sl = __n;
147	__sl = __n;	147	if (__sl + __dl + 1 > __b)
148	if (__sl + __dl + 1 > __b)	148	__builtin_trap();
149	__builtin_trap();
150	}
151	return __orig_strncat(__d, __s, __n);	149	return __orig_strncat(__d, __s, __n);
152	}	150	}
153		151


diff --git a/include/wchar.h b/include/wchar.h index 2036245..4346023 100644 --- a/include/wchar.h +++ b/include/wchar.h
@@ -153,14 +153,12 @@ _FORTIFY_FN(wcsncat) wchar_t wcsncat(wchar_t _FORTIFY_POS0 __d,
153	size_t __b = __bos(__d, 0);	153	size_t __b = __bos(__d, 0);
154	size_t __sl, __dl;	154	size_t __sl, __dl;
155		155
156	if (__n > __b / sizeof(wchar_t)) {	156	__sl = wcslen(__s);
157	__sl = wcslen(__s);	157	__dl = wcslen(__d);
158	__dl = wcslen(__d);	158	if (__sl > __n)
159	if (__sl > __n)	159	__sl = __n;
160	__sl = __n;	160	if (__sl + __dl + 1 > __b / sizeof(wchar_t))
161	if (__sl + __dl + 1 > __b / sizeof(wchar_t))	161	__builtin_trap();
162	__builtin_trap();
163	}
164	return __orig_wcsncat(__d, __s, __n);	162	return __orig_wcsncat(__d, __s, __n);
165	}	163	}
166		164