From ddd22b2f533db9c0da0bb262fbafa51f67c8587e Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Fri, 1 May 2026 00:36:32 +0200
Subject: Fix strncat/wcsncat

Previously, no checks were done when __n <= __b, but strncat _appends_ after
existing content, making this a overly broad check check. For example, with an
8-byte buffer containing "12345\0", strncat(buf, "ABCD", 4) would have the
check skipped, but the result "12345ABCD\0" is 10 bytes, resulting in an
overflow.

This commit fixes this oversight, and adds a bunch of tests.
---
 tests/test_wcsnrtombs_dynamic.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

(limited to 'tests/test_wcsnrtombs_dynamic.c')

diff --git a/tests/test_wcsnrtombs_dynamic.c b/tests/test_wcsnrtombs_dynamic.c
index 808c9c8..28b03bf 100644
--- a/tests/test_wcsnrtombs_dynamic.c
+++ b/tests/test_wcsnrtombs_dynamic.c
@@ -14,9 +14,7 @@ int main(int argc, char** argv) {
   srcp = src;
   wcsnrtombs(buffer, &srcp, 4, 4, &st);
 
-  /* Unsafe: ask to write argc (10) bytes into 8-byte buffer.
-   * Before the fix, the first branch incorrectly divided the byte-sized
-   * buffer capacity by sizeof(wchar_t), making the check too permissive. */
+  /* Unsafe: ask to write argc (10) bytes into 8-byte buffer. */
   CHK_FAIL_START
   srcp = src;
   memset(&st, 0, sizeof(st));
-- 
cgit v1.3