From ddd22b2f533db9c0da0bb262fbafa51f67c8587e Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Fri, 1 May 2026 00:36:32 +0200
Subject: Fix strncat/wcsncat

Previously, no checks were done when __n <= __b, but strncat _appends_ after
existing content, making this a overly broad check check. For example, with an
8-byte buffer containing "12345\0", strncat(buf, "ABCD", 4) would have the
check skipped, but the result "12345ABCD\0" is 10 bytes, resulting in an
overflow.

This commit fixes this oversight, and adds a bunch of tests.
---
 tests/test_strncat_static_write.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

(limited to 'tests/test_strncat_static_write.c')

diff --git a/tests/test_strncat_static_write.c b/tests/test_strncat_static_write.c
index 7fe89ff..53d1532 100644
--- a/tests/test_strncat_static_write.c
+++ b/tests/test_strncat_static_write.c
@@ -4,15 +4,15 @@
 
 int main(int argc, char** argv) {
   char buffer[8] = {0};
-  char src[] = {'1', '2', '3', '4', '5', '6', '7', '8', '9', '0'};
-  strncat(buffer, src, 5);
+  strncat(buffer, "12345", 5);
   puts(buffer);
 
-#if 0
+  /* n=4 is less than buffer size (8), but buffer already has 5 chars,
+   * so appending 4 more + NUL = 10 bytes total, overflowing the buffer.
+   */
   CHK_FAIL_START
-  strncat(buffer, src, 10);
+  strncat(buffer, "ABCD", 4);
   CHK_FAIL_END
-#endif
 
   puts(buffer);
   return ret;
-- 
cgit v1.3