From f9239e2c0f0be9856322727887a45333683940a6 Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Thu, 30 Apr 2026 17:42:29 +0200
Subject: Fix a bug in wcsnrtombs

__d is a char * destination buffer, so __b is already the byte capacity.
Dividing by sizeof(wchar_t) makes no sense here, it was likely copy-pasted
from mbsnrtowcs (where the destination is wchar_t *). The first branch also
fails to limit __n (the byte write cap) to __b, so overflows are possible when
a wide character produces multi-byte output. The second branch (else) correctly
limits __n to __b.

This commit replaces the broken two-branch logic with the simple correct
pattern matching wcsrtombs, and adds two tests two prove that nothing broke.
---
 include/wchar.h | 13 +++----------
 1 file changed, 3 insertions(+), 10 deletions(-)

(limited to 'include/wchar.h')

diff --git a/include/wchar.h b/include/wchar.h
index a840f1a..0842115 100644
--- a/include/wchar.h
+++ b/include/wchar.h
@@ -190,16 +190,9 @@ _FORTIFY_FN(wcsnrtombs) size_t wcsnrtombs(char * _FORTIFY_POS0 __d,
 	size_t __b = __bos(__d, 0);
 	size_t __r;
 
-	if (__wn > __n / sizeof(wchar_t)) {
-		__b /= sizeof(wchar_t);
-		__r = __orig_wcsnrtombs(__d, __s, __wn > __b ? __b : __wn, __n, __st);
-		if (__b < __wn && __d && *__s && __r != (size_t)-1)
-			__builtin_trap();
-	} else {
-		__r = __orig_wcsnrtombs(__d, __s, __wn, __n > __b ? __b : __n, __st);
-		if (__b < __n && __d && *__s && __r != (size_t)-1)
-			__builtin_trap();
-	}
+	__r = __orig_wcsnrtombs(__d, __s, __wn, __n > __b ? __b : __n, __st);
+	if (__b < __n && __d && *__s && __r != (size_t)-1)
+		__builtin_trap();
 	return __r;
 }
 #endif
-- 
cgit v1.3