The mbsrtowcs call here doesn't convert the final \0 of mbs, leaving the
final byte of ws as whatever was just malloc-ed.
Noticed in an ASAN build which makes sure that this is never L'\0'. Oddly,
this didn't actually trigger an ASAN report, just saw that nothing was
getting printed by printf.
---
diff --git a/builtins/printf.def b/builtins/printf.def
index ad4f4d12..62820514 100644
--- a/builtins/printf.def
+++ b/builtins/printf.def
@@ -1493,7 +1493,7 @@ getwidestr (size_t *lenp)
mbs = garglist->word->word;
slen = strlen (mbs);
ws = (wchar_t *)xmalloc ((slen + 1) * sizeof (wchar_t));
- mblength = mbsrtowcs (ws, &mbs, slen, &state);
+ mblength = mbsrtowcs (ws, &mbs, slen + 1, &state);
if (lenp)
*lenp = mblength;
