From 60e67eb7d7fb1852ef170bfa26d12d42ac3b19f3 Mon Sep 17 00:00:00 2001 From: Ali Raza Date: Mon, 9 Mar 2026 18:11:30 +0500 Subject: [PATCH] win/tty: fix off-by-one NUL write in UTF-16 to WTF-8 conversion Reserve one byte for the NUL terminator when passing the buffer size to uv_utf16_to_wtf8() in the TTY line-read path. Without this, when all input characters encode to exactly 3 UTF-8 bytes (e.g. CJK) and the buffer size is divisible by 3, the NUL terminator is written one byte past the allocated buffer. The other two call sites in src/win/util.c already subtract 1 before calling uv_utf16_to_wtf8(). This aligns tty.c with that convention. Fixes: f3889085 ("win,tty: convert line-read UTF-16 to WTF-8") Ref: GHSA-4prr-4742-3ccf --- src/win/tty.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/win/tty.c b/src/win/tty.c index 66ca99cda..b0f0031c5 100644 --- a/src/win/tty.c +++ b/src/win/tty.c @@ -555,7 +555,7 @@ static DWORD CALLBACK uv_tty_line_read_thread(void* data) { NULL); if (read_console_success) { - read_bytes = bytes; + read_bytes = bytes - 1; uv_utf16_to_wtf8(utf16, read_chars, &handle->tty.rd.read_line_buffer.base,