Bug#544682: [PATCH] Use mkdtemp if available, prevent writing past end of string otherwise.

Bram Moolenaar Bram at Moolenaar.net
Mon Nov 9 18:43:17 UTC 2009 

James -

> vim_tempname, when TEMPDIRS is defined, attempts to create a temp directory as
> follows:
> 
> for each dir in TEMPDIRS
>   if dir exists
>     for i in 1 .. 10000
>       append vXXXXXX string to dirname
>       mkdir dirname
>       if mkdir succeeded, break
>       else, continue with next i
> 
> The problem here is that itmp, which stores the directory name, is only
> TEMPNAMELEN bytes long (max of 256).  Yet, the loop appends 7 characters
> potentially 10,000 times.  This blatantly writes past the end of itmp if the
> loop runs more than a handful of times.
> 
> Exactly this happened in <http://bugs.debian.org/544682>.  The fault lies
> squarely in smbnetfs for erroneously stating that $TMPDIR, $TMPDIRv667563,
> $TMPDIRv667563v66754, etc. were existing directories, but Vim should avoid
> crashing in that scenario.
> 
> First, the logic for creating a temp directory should take advantage of
> existing library functionality.  To that end, vim_tempfile will now use
> mkdtemp if it is available.  This change itself prevents the crash from
> happening wherever Vim can use mkdtemp (which should be widely available).
> 
> Second, if mkdtemp isn't used, vim_tempfile will overwrite the previous
> generated string instead of appending to itmp.  I.e., directory names will
> progress as $TMPDIRv667563, $TMPDIRv667564, $TMPDIRv667565, etc. instead of
> $TMPDIRv667563, $TMPDIRv667563v667564, $TMPDIRv667563v667564v667565.  This
> is meant as a safe guard for the places, if there are any, where the
> TEMPDIRS section of the code is run and mkdtemp is not available.

Thanks for the patch, I'll look into it soon.

- Bram

-- 
INSPECTOR END OF FILM: Move along.  There's nothing to see!  Keep moving!
   [Suddenly he notices the cameras.]
INSPECTOR END OF FILM: (to Camera) All right, put that away sonny.
   [He walks over to it and puts his hand over the lens.]
                 "Monty Python and the Holy Grail" PYTHON (MONTY) PICTURES LTD

 /// Bram Moolenaar -- Bram at Moolenaar.net -- http://www.Moolenaar.net   \\\
///        sponsor Vim, vote for features -- http://www.Vim.org/sponsor/ \\\
\\\        download, build and distribute -- http://www.A-A-P.org        ///
 \\\            help me help AIDS victims -- http://ICCF-Holland.org    ///

More information about the pkg-vim-maintainers mailing list