commit d6105aba5fd791e8d3f069e771517cdb947b5604
parent 7fecafe015505c0ebd47780050118ff789a9ae3f
Author: jvoisin <julien.voisin@dustri.org>
Date: Thu, 30 Apr 2026 18:06:56 +0200
Fix mbsnrtowcs
mbsnrtowcs writes up to __wn wide characters into wchar_t *__d. The destination
capacity is __b / sizeof(wchar_t) wide characters, but the
else branch clamps __n (source byte limit) to __b (destination byte size).
__wn (the actual output count) is passed through unclamped. Example: __b=8
(dest holds 2 wchar_t), __n=100, __wn=25. The else branch applies (25 <=
100/4), clamps source to 8 bytes, but passes __wn=25 — the function can write
25 wchar_t (100 bytes) into an 8-byte buffer.
The first branch is also wrong: it divides __b (bytes) by sizeof(wchar_t) to
get wchar_t capacity, which is correct for the destination — but the condition
__wn > __n / sizeof(wchar_t) uses integer division that can produce incorrect
routing between branches.
The fix mirrors the already-correct mbsrtowcs pattern: clamp __wn (the output
wide-char count) to the destination's wchar_t capacity, and pass __n (source
byte limit) through unchanged.
Diffstat:
4 files changed, 60 insertions(+), 10 deletions(-)
diff --git a/include/wchar.h b/include/wchar.h
@@ -75,16 +75,10 @@ _FORTIFY_FN(mbsnrtowcs) size_t mbsnrtowcs(wchar_t * _FORTIFY_POS0 __d,
size_t __b = __bos(__d, 0);
size_t __r;
- if (__wn > __n / sizeof(wchar_t)) {
- __b /= sizeof(wchar_t);
- __r = __orig_mbsnrtowcs(__d, __s, __n, __wn > __b ? __b : __wn, __st);
- if (__b < __wn && __d && *__s && __r != (size_t)-1)
- __builtin_trap();
- } else {
- __r = __orig_mbsnrtowcs(__d, __s, __n > __b ? __b : __n, __wn, __st);
- if (__b < __n && __d && *__s && __r != (size_t)-1)
- __builtin_trap();
- }
+ __b /= sizeof(wchar_t);
+ __r = __orig_mbsnrtowcs(__d, __s, __n, __wn > __b ? __b : __wn, __st);
+ if (__b < __wn && __d && *__s && __r != (size_t)-1)
+ __builtin_trap();
return __r;
}
#endif
diff --git a/tests/Makefile b/tests/Makefile
@@ -50,6 +50,8 @@ RUNTIME_TARGETS= \
test_mempcpy_static_write \
test_memset_dynamic_write \
test_memset_static_write \
+ test_mbsnrtowcs_dynamic \
+ test_mbsnrtowcs_static \
test_poll_dynamic \
test_poll_static \
test_ppoll_dynamic \
diff --git a/tests/test_mbsnrtowcs_dynamic.c b/tests/test_mbsnrtowcs_dynamic.c
@@ -0,0 +1,28 @@
+#include "common.h"
+
+#include <wchar.h>
+#include <string.h>
+
+int main(int argc, char** argv) {
+ wchar_t buffer[4] = {0};
+ const char *src = "ABCDEFGHIJ";
+ const char *srcp = src;
+ mbstate_t st;
+ memset(&st, 0, sizeof(st));
+
+ /* Safe: convert up to 2 source bytes into at most 2 wide chars */
+ srcp = src;
+ mbsnrtowcs(buffer, &srcp, 2, 2, &st);
+
+ /* Unsafe: ask to write argc (10) wide chars into 4-element buffer.
+ * Before the fix, the else branch clamped source bytes instead of
+ * the output wide-char count, allowing destination overflow. */
+ CHK_FAIL_START
+ srcp = src;
+ memset(&st, 0, sizeof(st));
+ mbsnrtowcs(buffer, &srcp, 10, argc, &st);
+ CHK_FAIL_END
+
+ printf("%ls\n", buffer);
+ return ret;
+}
diff --git a/tests/test_mbsnrtowcs_static.c b/tests/test_mbsnrtowcs_static.c
@@ -0,0 +1,26 @@
+#include "common.h"
+
+#include <wchar.h>
+#include <string.h>
+
+int main(int argc, char** argv) {
+ wchar_t buffer[4] = {0};
+ const char *src = "ABCDEFGHIJKLMNOP";
+ const char *srcp = src;
+ mbstate_t st;
+ memset(&st, 0, sizeof(st));
+
+ /* Safe: convert up to 4 source bytes into at most 2 wide chars */
+ srcp = src;
+ mbsnrtowcs(buffer, &srcp, 4, 2, &st);
+
+ /* Unsafe: ask to write 16 wide chars into 4-element buffer */
+ CHK_FAIL_START
+ srcp = src;
+ memset(&st, 0, sizeof(st));
+ mbsnrtowcs(buffer, &srcp, 16, 16, &st);
+ CHK_FAIL_END
+
+ printf("%ls\n", buffer);
+ return ret;
+}
