From: massey@surefirev.com (Todd Massey)
Subject: B19: tempnam memory allocation bug
16 Oct 1998 08:34:20 -0700
Message-ID: <3.0.3.32.19981015093217.00b73520.cygnus.gnu-win32@appr>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
To: gnu-win32@cygnus.com

Found in newlib/libc/stdio/tmpnam.c

The problem exists in the following line:

      length = strlen (dir) + strlen (pfx) + 10 + 1;

It seems that the assumption was made that there are 2 integers of size 4
bytes
each being used in the tempnam, thus.

   10 =  4 (first integer) + 4 (second integer) + 1 ('_') + 1 ('.')

The problem is that when you print an integer out as hex in a character string
it is actually every character represents 4 bits of the integer, thus 8 bytes
per integer are used.  Thus it should be 
 
   18 =  8 (first integer) + 8 (second integer) + 1 ('_') + 1 ('.')
 

So the line should be:

   length = strlen (dir) + strlen (pfx) + 18 + 1;


char *
_DEFUN (_tempnam_r, (p, dir, pfx),
        struct _reent *p _AND
        char *dir _AND
        char *pfx)
{
  char *filename;
  int length;
  if (dir == NULL && (dir = getenv ("TMPDIR")) == NULL)
    dir = P_tmpdir;
 
  length = strlen (dir) + strlen (pfx) + 10 + 1;        /* two 8 digit
                                                           numbers + . / */
 
  filename = _malloc_r (p, length);
  if (filename)
    {
      if (! worker (p, filename, dir, pfx,
                    _getpid_r (p) ^ (int) (_POINTER_INT) p, &p->_inc))
        return NULL;
    }
  return filename;
}
 

    /\     Todd Massey                 <massey@surefirev.com> 
   /\//    SureFire Verification Inc.  <http://www.surefirev.com>
  /\///\   1671 Dell Ave, Campbell, CA 95008 -- 408-374-4100 x102
 _\///\/        Formerly Silicon Sorcery
  \//\/    Check out the Scuba Divers Review Site
    \/     ---->   www.scuba-divers.com 
 

-
For help on using this list (especially unsubscribing), send a message to
"gnu-win32-request@cygnus.com" with one line of text: "help".