From ddd22b2f533db9c0da0bb262fbafa51f67c8587e Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Fri, 1 May 2026 00:36:32 +0200
Subject: Fix strncat/wcsncat

Previously, no checks were done when __n <= __b, but strncat _appends_ after
existing content, making this a overly broad check check. For example, with an
8-byte buffer containing "12345\0", strncat(buf, "ABCD", 4) would have the
check skipped, but the result "12345ABCD\0" is 10 bytes, resulting in an
overflow.

This commit fixes this oversight, and adds a bunch of tests.
---
 tests/test_strncat_safe.c | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)
 create mode 100644 tests/test_strncat_safe.c

(limited to 'tests/test_strncat_safe.c')

diff --git a/tests/test_strncat_safe.c b/tests/test_strncat_safe.c
new file mode 100644
index 0000000..ff8cadd
--- /dev/null
+++ b/tests/test_strncat_safe.c
@@ -0,0 +1,34 @@
+#include "common.h"
+
+#include <string.h>
+
+int main(int argc, char** argv) {
+  char buffer[8] = {0};
+
+  /* Safe: empty buffer, append 7 chars with n=7 → "1234567\0" = exactly 8 bytes */
+  strncat(buffer, "1234567", 7);
+  puts(buffer);
+
+  /* Safe: reset and append with n larger than source.
+   * src is "AB" (len 2), n=100 → only 2 chars copied + NUL = 3 bytes */
+  buffer[0] = '\0';
+  strncat(buffer, "AB", 100);
+  puts(buffer);
+
+  /* Safe: partially filled, append fits exactly.
+   * buffer = "ABCD" (4 chars), append "EFG" with n=3 → 4+3+1 = 8 = exact fit */
+  buffer[0] = '\0';
+  strncat(buffer, "ABCD", 4);
+  strncat(buffer, "EFG", 3);
+  puts(buffer);
+
+  /* Safe: n limits copy to fit.
+   * buffer = "ABCDE" (5 chars), src = "FGHIJKLM" (8 chars), n=2 → 5+2+1 = 8 */
+  buffer[0] = '\0';
+  strncat(buffer, "ABCDE", 5);
+  strncat(buffer, "FGHIJKLM", 2);
+  puts(buffer);
+
+  /* All safe operations passed without trapping */
+  return 0;
+}
-- 
cgit v1.3