From 1d9168709cd84e6ee98534bb1b51d58498dd71ca Mon Sep 17 00:00:00 2001 From: Moritz Jodeit Date: Mon, 17 Sep 2007 15:12:45 +0000 Subject: Prevent out-of-bounds memory access in tempnam(3), if the environment variable TMPDIR or the argument `dir' is an empty string. With and ok millert@ ray@ --- lib/libc/stdio/tempnam.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'lib/libc/stdio') diff --git a/lib/libc/stdio/tempnam.c b/lib/libc/stdio/tempnam.c index 3b7ec75c702..46b9d5536f8 100644 --- a/lib/libc/stdio/tempnam.c +++ b/lib/libc/stdio/tempnam.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tempnam.c,v 1.14 2005/08/08 08:05:36 espie Exp $ */ +/* $OpenBSD: tempnam.c,v 1.15 2007/09/17 15:12:44 moritz Exp $ */ /* * Copyright (c) 1988, 1993 * The Regents of the University of California. All rights reserved. @@ -53,14 +53,15 @@ tempnam(const char *dir, const char *pfx) if (!pfx) pfx = "tmp."; - if (issetugid() == 0 && (f = getenv("TMPDIR"))) { + if (issetugid() == 0 && (f = getenv("TMPDIR")) && *f != '\0') { (void)snprintf(name, MAXPATHLEN, "%s%s%sXXXXXXXXXX", f, *(f + strlen(f) - 1) == '/'? "": "/", pfx); if ((f = _mktemp(name))) return(f); } - if ((f = (char *)dir)) { + if (dir != NULL) { + f = *dir ? (char *)dir : "."; (void)snprintf(name, MAXPATHLEN, "%s%s%sXXXXXXXXXX", f, *(f + strlen(f) - 1) == '/'? "": "/", pfx); if ((f = _mktemp(name))) -- cgit v1.2.3