diff options
| author | jvoisin | 2026-05-01 00:36:32 +0200 |
|---|---|---|
| committer | jvoisin | 2026-05-01 00:44:53 +0200 |
| commit | ddd22b2f533db9c0da0bb262fbafa51f67c8587e (patch) | |
| tree | d319dab03de20929f95ccf7f9bec8c428ab6a66b /tests/test_mbsnrtowcs_dynamic.c | |
| parent | d6105aba5fd791e8d3f069e771517cdb947b5604 (diff) | |
Fix strncat/wcsncat
Previously, no checks were done when __n <= __b, but strncat _appends_ after
existing content, making this a overly broad check check. For example, with an
8-byte buffer containing "12345\0", strncat(buf, "ABCD", 4) would have the
check skipped, but the result "12345ABCD\0" is 10 bytes, resulting in an
overflow.
This commit fixes this oversight, and adds a bunch of tests.
Diffstat (limited to '')
| -rw-r--r-- | tests/test_mbsnrtowcs_dynamic.c | 4 |
1 files changed, 1 insertions, 3 deletions
diff --git a/tests/test_mbsnrtowcs_dynamic.c b/tests/test_mbsnrtowcs_dynamic.c index 77b9082..58575d3 100644 --- a/tests/test_mbsnrtowcs_dynamic.c +++ b/tests/test_mbsnrtowcs_dynamic.c | |||
| @@ -14,9 +14,7 @@ int main(int argc, char** argv) { | |||
| 14 | srcp = src; | 14 | srcp = src; |
| 15 | mbsnrtowcs(buffer, &srcp, 2, 2, &st); | 15 | mbsnrtowcs(buffer, &srcp, 2, 2, &st); |
| 16 | 16 | ||
| 17 | /* Unsafe: ask to write argc (10) wide chars into 4-element buffer. | 17 | /* Unsafe: ask to write argc (10) wide chars into 4-element buffer. */ |
| 18 | * Before the fix, the else branch clamped source bytes instead of | ||
| 19 | * the output wide-char count, allowing destination overflow. */ | ||
| 20 | CHK_FAIL_START | 18 | CHK_FAIL_START |
| 21 | srcp = src; | 19 | srcp = src; |
| 22 | memset(&st, 0, sizeof(st)); | 20 | memset(&st, 0, sizeof(st)); |