fix undefined behavior in getdelim via null pointer arithmetic and memcpy

[musl] / src / temp / mkdtemp.c

diff --git a/src/temp/mkdtemp.c b/src/temp/mkdtemp.c
index f2ecc51..5708257 100644 (file)
--- a/src/temp/mkdtemp.c
+++ b/src/temp/mkdtemp.c
@@ -1,25 +1,23 @@
 #include <string.h>
-#include <stdio.h>
 #include <stdlib.h>
-#include <fcntl.h>
-#include <unistd.h>
-#include <limits.h>
 #include <errno.h>
 #include <sys/stat.h>
-#include "libc.h"
-
-char *__mktemp(char *);
 
 char *mkdtemp(char *template)
 {
+       size_t l = strlen(template);
        int retries = 100;
-       while (retries--) {
-               if (!__mktemp(template)) return 0;
-               if (!mkdir(template, 0700)) return template;
-               if (errno != EEXIST) return 0;
-               /* this is safe because mktemp verified
-                * that we have a valid template string */
-               strcpy(template+strlen(template)-6, "XXXXXX");
+
+       if (l<6 || memcmp(template+l-6, "XXXXXX", 6)) {
+               errno = EINVAL;
+               return 0;
        }
+
+       do {
+               __randname(template+l-6);
+               if (!mkdir(template, 0700)) return template;
+       } while (--retries && errno == EEXIST);
+
+       memcpy(template+l-6, "XXXXXX", 6);
        return 0;
 }