If the destination pointer is not null, __wcsrtombs does this: /* This code is based on the safe assumption that all internal multi-byte encodings use the NUL byte only to mark the end of the string. */ const wchar_t *srcend = *src + __wcsnlen (*src, len) + 1; This is invalid because len can be much larger than the actual input data, and calling __wcsnlen this way violates the precondition of the wcsnlen function: the input must be an array.
Patch posted: https://gnutoolchain-gerrit.osci.io/r/c/glibc/+/445
This use of wcsnlen appears to be a GNU extension.