From ddd22b2f533db9c0da0bb262fbafa51f67c8587e Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Fri, 1 May 2026 00:36:32 +0200
Subject: Fix strncat/wcsncat

Previously, no checks were done when __n <= __b, but strncat _appends_ after
existing content, making this a overly broad check check. For example, with an
8-byte buffer containing "12345\0", strncat(buf, "ABCD", 4) would have the
check skipped, but the result "12345ABCD\0" is 10 bytes, resulting in an
overflow.

This commit fixes this oversight, and adds a bunch of tests.
---
 tests/test_wcsncat_n_eq_buf.c | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)
 create mode 100644 tests/test_wcsncat_n_eq_buf.c

(limited to 'tests/test_wcsncat_n_eq_buf.c')

diff --git a/tests/test_wcsncat_n_eq_buf.c b/tests/test_wcsncat_n_eq_buf.c
new file mode 100644
index 0000000..e516842
--- /dev/null
+++ b/tests/test_wcsncat_n_eq_buf.c
@@ -0,0 +1,18 @@
+#include "common.h"
+
+#include <wchar.h>
+
+int main(int argc, char** argv) {
+  wchar_t buffer[8] = {0};
+  wcsncat(buffer, L"12345", 5);
+  printf("%ls\n", buffer);
+
+  /* n == buffer capacity but overflow due to existing content.
+   * buffer has 5 wchars, src L"ABC" (len 3): 5+3+1 = 9 > 8 → overflow. */
+  CHK_FAIL_START
+  wcsncat(buffer, L"ABC", 8);
+  CHK_FAIL_END
+
+  printf("%ls\n", buffer);
+  return ret;
+}
-- 
cgit v1.3