Fix mkdtemp() random signedness

time_t return of time() may be signed 32-bit and in that case
probably will roll over in the year 2038 and yield a negative
value; signedness was propagated in the XOR operation to the
'value' and then 'v' variables. The 'v % 62' operation then would
had resulted in a negative value and LETTER[v%62] would had
accessed an arbitrary data location.

The same could had happened if the static long 'value' variable
after a very long run time contained a sufficiently large value to
which the time^pid value added resulted in a wrap / roll-over to a
negative value.

Using unsigned long types for 'value' and 'v' and casting time_t
to unsigned long cures all this.

diff --git a/mkdtemp.c b/mkdtemp.c
index d576bdadf61868d49ca567a48b6983c0c7207bef..188b65c79589347f070e66c931d682443b39661c 100644 (file)
--- a/mkdtemp.c
+++ b/mkdtemp.c
@@ -10,8 +10,8 @@
 char *mkdtemp (char *tmpl)
 {
   static const char LETTERS[] = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
-  static long       value = 0;
-  long              v;
+  static unsigned long value = 0;
+  unsigned long     v;
   int               len;
   int               i, j;
 
@@ -22,7 +22,7 @@ char *mkdtemp (char *tmpl)
     return NULL;
   }
 
-  value += ((long) time (NULL)) ^ getpid ();
+  value += ((unsigned long) time (NULL)) ^ getpid ();
 
   for (i = 0; i < 7 ; ++i, value += 7777)
   {