From ecb512feb423a44bd3080a252306a3326c326f4b Mon Sep 17 00:00:00 2001
From: Daniel Markstedt <daniel@mindani.net>
Date: Mon, 4 May 2026 20:30:04 +0200
Subject: [PATCH] CVE-2026-44048: libatalk: fix UCS-2 terminator bounds in
 charset conversion

Reported-by: @00redbeer
Signed-off-by: Daniel Markstedt <daniel@mindani.net>
---
 libatalk/unicode/charcnv.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/libatalk/unicode/charcnv.c b/libatalk/unicode/charcnv.c
index 0a62f0baf..e6d0cd410 100644
--- a/libatalk/unicode/charcnv.c
+++ b/libatalk/unicode/charcnv.c
@@ -966,6 +966,7 @@ size_t convert_charset(charset_t from_set, charset_t to_set,
     ucs2_t *u;
     ucs2_t buffer[MAXPATHLEN + 2];
     ucs2_t buffer2[MAXPATHLEN + 2];
+    size_t u_size;
     lazy_initialize_conv();
     /* convert from_set to UCS2 */
     errno = 0;
@@ -1003,8 +1004,15 @@ size_t convert_charset(charset_t from_set, charset_t to_set,
     }
 
     /* null terminate */
-    u[i_len] = 0;
-    u[i_len + 1] = 0;
+    u_size = (u == buffer2) ? sizeof(buffer2) : sizeof(buffer);
+
+    if (i_len > u_size - 2) {
+        errno = E2BIG;
+        return (size_t) -1;
+    }
+
+    ((char *)u)[i_len] = 0;
+    ((char *)u)[i_len + 1] = 0;
 
     /* Do case conversions */
     if (CHECK_FLAGS(flags, CONV_TOUPPER)) {