Fixed handling of extremely long paths inside tempnam() function.

diff --git a/NEWS b/NEWS
index 7f08ae17aa2e9c9c7c7debd2a2dbc7c31a25cfa2..ca88662636e843e3b82ea375f402956d4260ec1f 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,7 @@
 PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2006, PHP 5.2.0
+- Fixed handling of extremely long paths inside tempnam() function. (Ilia)
 - Added control character checks for cURL extension's open_basedir/safe_mode
   checks. (Ilia)
 - Disable realpath cache when open_basedir or safe_mode are enabled on a 

diff --git a/main/php_open_temporary_file.c b/main/php_open_temporary_file.c
index 66453581fb8ddced95cde02df020443cd1c7ce1c..b2e27e2f79ed8d1f2bec391f0b40732b4f6810d4 100644 (file)
--- a/main/php_open_temporary_file.c
+++ b/main/php_open_temporary_file.c
@@ -114,17 +114,16 @@ static int php_do_open_temporary_file(const char *path, const char *pfx, char **
 
        path_len = strlen(path);
 
-       if (!(opened_path = emalloc(MAXPATHLEN))) {
-               return -1;
-       }
-
        if (!path_len || IS_SLASH(path[path_len - 1])) {
                trailing_slash = "";
        } else {
                trailing_slash = "/";
        }
 
-       (void)snprintf(opened_path, MAXPATHLEN, "%s%s%sXXXXXX", path, trailing_slash, pfx);
+       if (spprintf(&opened_path, 0, "%s%s%sXXXXXX", path, trailing_slash, pfx) >= MAXPATHLEN) {
+               efree(opened_path);
+               return -1;
+       }
 
 #ifdef PHP_WIN32
        if (GetTempFileName(path, pfx, 0, opened_path)) {