From d6105aba5fd791e8d3f069e771517cdb947b5604 Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Thu, 30 Apr 2026 18:06:56 +0200
Subject: Fix mbsnrtowcs

mbsnrtowcs writes up to __wn wide characters into wchar_t *__d. The destination
capacity is __b / sizeof(wchar_t) wide characters, but the
else branch clamps __n (source byte limit) to __b (destination byte size).

__wn (the actual output count) is passed through unclamped. Example: __b=8
(dest holds 2 wchar_t), __n=100, __wn=25. The else branch applies (25 <=
100/4), clamps source to 8 bytes, but passes __wn=25 — the function can write
25 wchar_t (100 bytes) into an 8-byte buffer.

The first branch is also wrong: it divides __b (bytes) by sizeof(wchar_t) to
get wchar_t capacity, which is correct for the destination — but the condition
__wn > __n / sizeof(wchar_t) uses integer division that can produce incorrect
routing between branches.

The fix mirrors the already-correct mbsrtowcs pattern: clamp __wn (the output
wide-char count) to the destination's wchar_t capacity, and pass __n (source
byte limit) through unchanged.
---
 tests/Makefile | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'tests/Makefile')

diff --git a/tests/Makefile b/tests/Makefile
index 9fc8287..6904b2d 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -50,6 +50,8 @@ RUNTIME_TARGETS= \
 	test_mempcpy_static_write     \
 	test_memset_dynamic_write     \
 	test_memset_static_write      \
+	test_mbsnrtowcs_dynamic       \
+	test_mbsnrtowcs_static        \
 	test_poll_dynamic             \
 	test_poll_static              \
 	test_ppoll_dynamic            \
-- 
cgit v1.3