From ddd22b2f533db9c0da0bb262fbafa51f67c8587e Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Fri, 1 May 2026 00:36:32 +0200
Subject: Fix strncat/wcsncat

Previously, no checks were done when __n <= __b, but strncat _appends_ after
existing content, making this a overly broad check check. For example, with an
8-byte buffer containing "12345\0", strncat(buf, "ABCD", 4) would have the
check skipped, but the result "12345ABCD\0" is 10 bytes, resulting in an
overflow.

This commit fixes this oversight, and adds a bunch of tests.
---
 include/string.h | 14 ++++++--------
 1 file changed, 6 insertions(+), 8 deletions(-)

(limited to 'include/string.h')

diff --git a/include/string.h b/include/string.h
index 23f598c..44206f0 100644
--- a/include/string.h
+++ b/include/string.h
@@ -140,14 +140,12 @@ _FORTIFY_FN(strncat) char *strncat(char * _FORTIFY_POS0 __d, const char *__s,
 	size_t __b = __bos(__d, 0);
 	size_t __sl, __dl;
 
-	if (__n > __b) {
-		__sl = strlen(__s);
-		__dl = strlen(__d);
-		if (__sl > __n)
-			__sl = __n;
-		if (__sl + __dl + 1 > __b)
-			__builtin_trap();
-	}
+	__sl = strlen(__s);
+	__dl = strlen(__d);
+	if (__sl > __n)
+		__sl = __n;
+	if (__sl + __dl + 1 > __b)
+		__builtin_trap();
 	return __orig_strncat(__d, __s, __n);
 }
 
-- 
cgit v1.3