From c89f104c12e196a86dac2aa6d9119ebb8e4aabe4 Mon Sep 17 00:00:00 2001
From: Alex Richardson <arichardson@FreeBSD.org>
Date: Wed, 16 Jun 2021 16:27:13 +0100
Subject: [PATCH] vis(3): avoid out-of-bounds stack buffer reads

I found this while running kdump(1) on a CheriBSD system due to a
capability length violation when printing the /etc/libmap.conf read()
system call: it crashed immediately after printing the first line.

Found by:	CHERI
Reviewed By:	jhb
MFC after:	3 days
Differential Revision: https://reviews.freebsd.org/D30771

(cherry picked from commit 1a2f06d0f2905c9a18340b377cbbe772f2ca6844)
---
 contrib/libc-vis/vis.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/contrib/libc-vis/vis.c b/contrib/libc-vis/vis.c
index 21c07b70619d..c43186a44b51 100644
--- a/contrib/libc-vis/vis.c
+++ b/contrib/libc-vis/vis.c
@@ -465,7 +465,8 @@ istrsenvisx(char **mbdstp, size_t *dlen, const char *mbsrc, size_t mblength,
 	while (mbslength > 0) {
 		/* Convert one multibyte character to wchar_t. */
 		if (!cerr)
-			clen = mbrtowc(src, mbsrc, MB_LEN_MAX, &mbstate);
+			clen = mbrtowc(src, mbsrc, MIN(mbslength, MB_LEN_MAX),
+			    &mbstate);
 		if (cerr || clen < 0) {
 			/* Conversion error, process as a byte instead. */
 			*src = (wint_t)(u_char)*mbsrc;