In the following test case, although the call to stpncpy() doesn't overflow but because the function returns a pointer just past the end of the destination (i.e., d + sizeof d), assigning a value via the returned pointer does.  This bug could be relatively easily detected by the -Wstringop-overflow checker (but, as is evident from the output, isn't, nor is it prevented with _FORTIFY_SOURCE).

$ (set -x && cat a.c && for opt in '' -D_FORTIFY_SOURCE=2; do gcc $opt -O2 -S -Wall -fdump-tree-optimized=/dev/stdout a.c; done)
+ cat a.c
#ifdef _FORTIFY_SOURCE
#  include <string.h>
#endif

char* stpncpy (char*, const char*, __SIZE_TYPE__);

char d[8];

void f (const char *s)
{
  *stpncpy (d, s, sizeof d) = 0;
}
+ for opt in ''\'''\''' -D_FORTIFY_SOURCE=2
+ gcc -O2 -S -Wall -fdump-tree-optimized=/dev/stdout a.c

;; Function f (f, funcdef_no=0, decl_uid=1897, cgraph_uid=0, symbol_order=1)

f (const char * s)
{
  char * _1;

  <bb 2> [local count: 1073741825]:
  _1 = stpncpy (&d, s_3(D), 8);
  *_1 = 0;
  return;

}


+ for opt in ''\'''\''' -D_FORTIFY_SOURCE=2
+ gcc -D_FORTIFY_SOURCE=2 -O2 -S -Wall -fdump-tree-optimized=/dev/stdout a.c

;; Function f (f, funcdef_no=14, decl_uid=2192, cgraph_uid=14, symbol_order=15)

f (const char * s)
{
  char * _4;

  <bb 2> [local count: 1073741825]:
  _4 = __stpncpy_alias (&d, s_2(D), 8);
  *_4 = 0;
  return;

}