From: Eike Rathke Date: Sat, 5 Jan 2019 21:54:26 +0000 (+0100) Subject: Fix mkdtemp() random signedness X-Git-Tag: mutt-1-12-rel~139 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=9b965fac1fac83ede6e00ddff224ed6080bc9b74;p=mutt Fix mkdtemp() random signedness time_t return of time() may be signed 32-bit and in that case probably will roll over in the year 2038 and yield a negative value; signedness was propagated in the XOR operation to the 'value' and then 'v' variables. The 'v % 62' operation then would had resulted in a negative value and LETTER[v%62] would had accessed an arbitrary data location. The same could had happened if the static long 'value' variable after a very long run time contained a sufficiently large value to which the time^pid value added resulted in a wrap / roll-over to a negative value. Using unsigned long types for 'value' and 'v' and casting time_t to unsigned long cures all this. --- diff --git a/mkdtemp.c b/mkdtemp.c index d576bdad..188b65c7 100644 --- a/mkdtemp.c +++ b/mkdtemp.c @@ -10,8 +10,8 @@ char *mkdtemp (char *tmpl) { static const char LETTERS[] = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"; - static long value = 0; - long v; + static unsigned long value = 0; + unsigned long v; int len; int i, j; @@ -22,7 +22,7 @@ char *mkdtemp (char *tmpl) return NULL; } - value += ((long) time (NULL)) ^ getpid (); + value += ((unsigned long) time (NULL)) ^ getpid (); for (i = 0; i < 7 ; ++i, value += 7777) {