MFH: Fixed handling of extremely long paths inside tempnam() function.

diff --git a/NEWS b/NEWS
index 0b92cc2485bd8bec50c210265a9cde658d9d8194..0d02ce22c680dc6e14baf2d653505cb861aaa540 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,7 @@
 PHP 4                                                                      NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2006, Version 4.4.3
+- Fixed handling of extremely long paths inside tempnam() function. (Ilia)
 
 21 May 2006, Version 4.4.3RC1
 - Added control character checks for cURL extension's open_basedir/safe_mode

diff --git a/main/php_open_temporary_file.c b/main/php_open_temporary_file.c
index 93daa91495b2b4c3e2112e6abf238c059b70cc8e..e870db76f1e742372d69f54c2111f958e9a1518e 100644 (file)
--- a/main/php_open_temporary_file.c
+++ b/main/php_open_temporary_file.c
@@ -115,17 +115,16 @@ static int php_do_open_temporary_file(const char *path, const char *pfx, char **
 
        path_len = strlen(path);
 
-       if (!(opened_path = emalloc(MAXPATHLEN))) {
-               return -1;
-       }
-
        if (!path_len || IS_SLASH(path[path_len - 1])) {
                trailing_slash = "";
        } else {
                trailing_slash = "/";
        }
 
-       (void)snprintf(opened_path, MAXPATHLEN, "%s%s%sXXXXXX", path, trailing_slash, pfx);
+       if (spprintf(&opened_path, 0, "%s%s%sXXXXXX", path, trailing_slash, pfx) >= MAXPATHLEN) {
+               efree(opened_path);
+               return -1;
+       }
 
 #ifdef PHP_WIN32
        if (GetTempFileName(path, pfx, 0, opened_path)) {