>Number:         13016
>Category:       lib
>Synopsis:       mbsrtowcs/wcsrtombs returns wrong value
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    lib-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed May 23 10:23:01 PDT 2001
>Closed-Date:
>Last-Modified:
>Originator:     YAMAMOTO Takashi
>Release:        current
>Organization:
>Environment:
System: NetBSD capybara 1.5V NetBSD 1.5V (stg) #197: Sat May 19 13:47:22 JST 2001 takashi@capybara:/usr/src/sys/arch/i386/compile/stg i386
Architecture: i386
Machine: i386
>Description:
	mbsrtowcs runs over terminating-null to buffersize.

	number of bytes that wcsrtombs returns includes terminating-null.
	(SUSv2 says it shouldn't be included.)

	static version of these functions don't have these problems.

>How-To-Repeat:
>Fix:

Index: multibyte.c
===================================================================
RCS file: /cvs/cvsroot/basesrc/lib/libc/locale/multibyte.c,v
retrieving revision 1.8
diff -u -r1.8 multibyte.c
--- multibyte.c	2001/02/06 18:48:41	1.8
+++ multibyte.c	2001/05/23 17:11:11
@@ -379,10 +379,8 @@
 			(*s)++;
 			break;
 		case 0:
-			pwcs++;
-			cnt++;
 			(*s)++;
-			break;
+			goto bye;
 		default:
 			pwcs++;
 			cnt++;
@@ -473,10 +471,10 @@
 		if (n - cnt < siz)
 			return cnt;
 		memcpy(s, buf, siz);
-		cnt += siz;
-		s += siz;
 		if (!**pwcs)
 			break;
+		s += siz;
+		cnt += siz;
 		(*pwcs)++;
 	}
 bye:

>Release-Note:
>Audit-Trail:
>Unformatted: