fortify-headers

standalone fortify-source implementation
git clone git://git.2f30.org/fortify-headers
Log | Files | Refs | README | LICENSE
commit f9239e2c0f0be9856322727887a45333683940a6
parent 6040b4a27409968c764353a98c45d972cfd89a8a
Author: jvoisin <julien.voisin@dustri.org>
Date:   Thu, 30 Apr 2026 17:42:29 +0200

Fix a bug in wcsnrtombs

__d is a char * destination buffer, so __b is already the byte capacity.
Dividing by sizeof(wchar_t) makes no sense here, it was likely copy-pasted
from mbsnrtowcs (where the destination is wchar_t *). The first branch also
fails to limit __n (the byte write cap) to __b, so overflows are possible when
a wide character produces multi-byte output. The second branch (else) correctly
limits __n to __b.

This commit replaces the broken two-branch logic with the simple correct
pattern matching wcsrtombs, and adds two tests two prove that nothing broke.

Diffstat:

Minclude/wchar.h | 13+++----------


Mtests/Makefile | 2++


Atests/test_wcsnrtombs_dynamic.c | 28++++++++++++++++++++++++++++


Atests/test_wcsnrtombs_static.c | 26++++++++++++++++++++++++++


4 files changed, 59 insertions(+), 10 deletions(-)

diff --git a/include/wchar.h b/include/wchar.h
@@ -190,16 +190,9 @@ _FORTIFY_FN(wcsnrtombs) size_t wcsnrtombs(char * _FORTIFY_POS0 __d,
 	size_t __b = __bos(__d, 0);
 	size_t __r;
 
-	if (__wn > __n / sizeof(wchar_t)) {
-		__b /= sizeof(wchar_t);
-		__r = __orig_wcsnrtombs(__d, __s, __wn > __b ? __b : __wn, __n, __st);
-		if (__b < __wn && __d && *__s && __r != (size_t)-1)
-			__builtin_trap();
-	} else {
-		__r = __orig_wcsnrtombs(__d, __s, __wn, __n > __b ? __b : __n, __st);
-		if (__b < __n && __d && *__s && __r != (size_t)-1)
-			__builtin_trap();
-	}
+	__r = __orig_wcsnrtombs(__d, __s, __wn, __n > __b ? __b : __n, __st);
+	if (__b < __n && __d && *__s && __r != (size_t)-1)
+		__builtin_trap();
 	return __r;
 }
 #endif
diff --git a/tests/Makefile b/tests/Makefile
@@ -94,6 +94,8 @@ RUNTIME_TARGETS= \
 	test_vsnprintf_static         \
 	test_vsprintf                 \
 	test_wcrtomb                  \
+	test_wcsnrtombs_dynamic       \
+	test_wcsnrtombs_static        \
 	test_wcscat_static_write      \
 	test_wcscpy_static_write      \
 	test_wcsncat_static_write     \
diff --git a/tests/test_wcsnrtombs_dynamic.c b/tests/test_wcsnrtombs_dynamic.c
@@ -0,0 +1,28 @@
+#include "common.h"
+
+#include <wchar.h>
+#include <string.h>
+
+int main(int argc, char** argv) {
+  char buffer[8] = {0};
+  const wchar_t src[] = L"ABCD";
+  const wchar_t *srcp = src;
+  mbstate_t st;
+  memset(&st, 0, sizeof(st));
+
+  /* Safe: convert up to 4 wide chars, write at most 4 bytes */
+  srcp = src;
+  wcsnrtombs(buffer, &srcp, 4, 4, &st);
+
+  /* Unsafe: ask to write argc (10) bytes into 8-byte buffer.
+   * Before the fix, the first branch incorrectly divided the byte-sized
+   * buffer capacity by sizeof(wchar_t), making the check too permissive. */
+  CHK_FAIL_START
+  srcp = src;
+  memset(&st, 0, sizeof(st));
+  wcsnrtombs(buffer, &srcp, 4, argc, &st);
+  CHK_FAIL_END
+
+  puts(buffer);
+  return ret;
+}
diff --git a/tests/test_wcsnrtombs_static.c b/tests/test_wcsnrtombs_static.c
@@ -0,0 +1,26 @@
+#include "common.h"
+
+#include <wchar.h>
+#include <string.h>
+
+int main(int argc, char** argv) {
+  char buffer[4] = {0};
+  const wchar_t src[] = L"ABCDEFGHIJ";
+  const wchar_t *srcp = src;
+  mbstate_t st;
+  memset(&st, 0, sizeof(st));
+
+  /* Safe: convert up to 2 wide chars, write at most 2 bytes */
+  srcp = src;
+  wcsnrtombs(buffer, &srcp, 2, 2, &st);
+
+  /* Unsafe: ask to write 16 bytes into 4-byte buffer */
+  CHK_FAIL_START
+  srcp = src;
+  memset(&st, 0, sizeof(st));
+  wcsnrtombs(buffer, &srcp, 10, 16, &st);
+  CHK_FAIL_END
+
+  puts(buffer);
+  return ret;
+}