Coverity has found a buffer overrun in wcstombs_errorpos() defined at 
http://hg.python.org/cpython/file/25e41fdc4e60/Objects/unicodeobject.c#l3237

Message:
CID 719672: Out-of-bounds access (OVERRUN)At (2): Overrunning array "buf" of 2 4-byte elements by passing it to a function which accesses it at element index 15 (byte offset 60) using argument "16UL". 

On a 64bit Linux system SIZE_OF_WCHAR_T is 4 and MB_LEN_MAX 16. In this constellation buf is 8 bytes long (wchar_t[2]) but outbuf has a size of 16 bytes. This causes a buffer overrun in wcstombs(outbuf, buf, sizeof(outbuf)).

Georg,
this issue might be security relevant and should be reviewed before the next release.

buf[1] contains NUL if SIZE_OF_WCHAR_T is 4.

The man page says:

   size_t wcstombs(char *dest, const wchar_t *src, size_t n)

The conversion can stop for three reasons:

3.  The wide-character string has been completely converted, including the terminating L'\0'.  In
       this case the conversion ends in the initial state.  The number of bytes written to dest, exclud-
       ing the terminating '\0' byte, is returned.


To me this sounds like there cannot be an invalid write.

I'm convinced that this is a false positive:

    size_t wcstombs(char *dest, const wchar_t *src, size_t n);

We have: 

     1) buf[0] = *wstr and buf[1] = 0.

So:

     2) wcstombs(NULL, buf, 0) <= 4.


Then the man page says:

   "... the  programmer  should  make  sure  n  is  greater  or  equal  to
    wcstombs(NULL,src,0)+1."


In this case, wcstombs(NULL, buf, 0) + 1 <= 5 and we call:

    wcstombs(char *dest, const wchar_t *src, 16);

Stefan,
I agree with your analysis. With the terminating null wide char wcstombs will never read beyond the end of buf.