[libc-commits] [libc] [libc] fix oob and overflow bugs in wcslcat and wcsncat (PR #203697)

Hardik Kumar via libc-commits libc-commits at lists.llvm.org
Mon Jun 15 04:39:26 PDT 2026 

https://github.com/hardikxk updated https://github.com/llvm/llvm-project/pull/203697

>From 227a06374e3ca1d33d6faec3a7552611c2f48057 Mon Sep 17 00:00:00 2001
From: hardikxk <hardikxk at gmail.com>
Date: Sat, 13 Jun 2026 16:32:06 +0530
Subject: [PATCH 1/2] fix oob and overflow bugs in llc

---
 libc/src/wchar/wcslcat.cpp | 2 ++
 libc/src/wchar/wcsncat.cpp | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/libc/src/wchar/wcslcat.cpp b/libc/src/wchar/wcslcat.cpp
index eb318e066f7a0..374b47c8b3578 100644
--- a/libc/src/wchar/wcslcat.cpp
+++ b/libc/src/wchar/wcslcat.cpp
@@ -21,6 +21,8 @@ LLVM_LIBC_FUNCTION(size_t, wcslcat,
                     size_t dstsize)) {
   const size_t dstlen = internal::string_length(dst);
   const size_t srclen = internal::string_length(src);
+  if (dstlen >= dstsize) 
+    return dstsize + srclen;
   int limit = static_cast<int>(dstsize - dstlen - 1);
   size_t returnval = (dstsize < dstlen ? dstsize : dstlen) + srclen;
   if (limit < 0)
diff --git a/libc/src/wchar/wcsncat.cpp b/libc/src/wchar/wcsncat.cpp
index 62595b4b5418c..985fb5f1cbace 100644
--- a/libc/src/wchar/wcsncat.cpp
+++ b/libc/src/wchar/wcsncat.cpp
@@ -21,7 +21,7 @@ LLVM_LIBC_FUNCTION(wchar_t *, wcsncat,
                     size_t n)) {
   size_t size = internal::string_length(s1);
   size_t i = 0;
-  for (; s2[i] && i < n; ++i)
+  for (; i < n && s2[i]; ++i)
     s1[size + i] = s2[i];
   // Appending null character to the end of the result.
   s1[size + i] = L'\0';

>From f6fdbb1df04ffb9d8cd56e08a772ce3a5594adb9 Mon Sep 17 00:00:00 2001
From: hardikxk <hardikxk at gmail.com>
Date: Mon, 15 Jun 2026 17:09:03 +0530
Subject: [PATCH 2/2] [libc] Fix OOB read in wcsncat and overflow in wcslcat

Prevented a potential buffer overflow in wcslcat and an out-of-bounds
read in wcsncat:

- wcslcat: Added an early exit when dstlen >= dstsize to avoid negative
    limit calculations and integer wrap during static_cast.
- wcsncat: Reordered loop conditions to check bounds (i < n) before
    dereferencing the source pointer (s2[i]).

Fixes [#203649](https://github.com/llvm/llvm-project/issues/203649).
---
 libc/src/wchar/wcslcat.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libc/src/wchar/wcslcat.cpp b/libc/src/wchar/wcslcat.cpp
index 374b47c8b3578..9c063d1de131a 100644
--- a/libc/src/wchar/wcslcat.cpp
+++ b/libc/src/wchar/wcslcat.cpp
@@ -24,7 +24,7 @@ LLVM_LIBC_FUNCTION(size_t, wcslcat,
   if (dstlen >= dstsize) 
     return dstsize + srclen;
   int limit = static_cast<int>(dstsize - dstlen - 1);
-  size_t returnval = (dstsize < dstlen ? dstsize : dstlen) + srclen;
+  size_t returnval = dstlen + srclen;
   if (limit < 0)
     return returnval;
   int i = 0;

More information about the libc-commits mailing list