From: massey AT surefirev DOT com (Todd Massey) Subject: B19: tempnam memory allocation bug 16 Oct 1998 08:34:20 -0700 Message-ID: <3.0.3.32.19981015093217.00b73520.cygnus.gnu-win32@appr> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: gnu-win32 AT cygnus DOT com Found in newlib/libc/stdio/tmpnam.c The problem exists in the following line: length = strlen (dir) + strlen (pfx) + 10 + 1; It seems that the assumption was made that there are 2 integers of size 4 bytes each being used in the tempnam, thus. 10 = 4 (first integer) + 4 (second integer) + 1 ('_') + 1 ('.') The problem is that when you print an integer out as hex in a character string it is actually every character represents 4 bits of the integer, thus 8 bytes per integer are used. Thus it should be 18 = 8 (first integer) + 8 (second integer) + 1 ('_') + 1 ('.') So the line should be: length = strlen (dir) + strlen (pfx) + 18 + 1; char * _DEFUN (_tempnam_r, (p, dir, pfx), struct _reent *p _AND char *dir _AND char *pfx) { char *filename; int length; if (dir == NULL && (dir = getenv ("TMPDIR")) == NULL) dir = P_tmpdir; length = strlen (dir) + strlen (pfx) + 10 + 1; /* two 8 digit numbers + . / */ filename = _malloc_r (p, length); if (filename) { if (! worker (p, filename, dir, pfx, _getpid_r (p) ^ (int) (_POINTER_INT) p, &p->_inc)) return NULL; } return filename; } /\ Todd Massey /\// SureFire Verification Inc. /\///\ 1671 Dell Ave, Campbell, CA 95008 -- 408-374-4100 x102 _\///\/ Formerly Silicon Sorcery \//\/ Check out the Scuba Divers Review Site \/ ----> www.scuba-divers.com - For help on using this list (especially unsubscribing), send a message to "gnu-win32-request AT cygnus DOT com" with one line of text: "help".