Fix a bug in wcsnrtombs

__d is a char * destination buffer, so __b is already the byte capacity.
Dividing by sizeof(wchar_t) makes no sense here, it was likely copy-pasted
from mbsnrtowcs (where the destination is wchar_t *). The first branch also
fails to limit __n (the byte write cap) to __b, so overflows are possible when
a wide character produces multi-byte output. The second branch (else) correctly
limits __n to __b.

This commit replaces the broken two-branch logic with the simple correct
pattern matching wcsrtombs, and adds two tests two prove that nothing broke.

1 files changed, 26 insertions, 0 deletions

diff --git a/tests/test_wcsnrtombs_static.c b/tests/test_wcsnrtombs_static.c
new file mode 100644
index 0000000..7f2883f
--- /dev/null
+++ b/tests/test_wcsnrtombs_static.c
@@ -0,0 +1,26 @@
+#include "common.h"
+
+#include <wchar.h>
+#include <string.h>
+
+int main(int argc, char** argv) {
+  char buffer[4] = {0};
+  const wchar_t src[] = L"ABCDEFGHIJ";
+  const wchar_t *srcp = src;
+  mbstate_t st;
+  memset(&st, 0, sizeof(st));
+
+  /* Safe: convert up to 2 wide chars, write at most 2 bytes */
+  srcp = src;
+  wcsnrtombs(buffer, &srcp, 2, 2, &st);
+
+  /* Unsafe: ask to write 16 bytes into 4-byte buffer */
+  CHK_FAIL_START
+  srcp = src;
+  memset(&st, 0, sizeof(st));
+  wcsnrtombs(buffer, &srcp, 10, 16, &st);
+  CHK_FAIL_END
+
+  puts(buffer);
+  return ret;
+}