--- nedit-5.5/source/file.c.orig 2004-08-24 13:37:24 +0400 +++ nedit-5.5/source/file.c 2005-03-14 20:18:19 +0300 @@ -1314,25 +1314,23 @@ void PrintWindow(WindowInfo *window, int */ void PrintString(const char *string, int length, Widget parent, const char *jobName) { - char tmpFileName[L_tmpnam]; /* L_tmpnam defined in stdio.h */ FILE *fp; int fd; + const char progname[] = "nedit"; + const char suffix[] = ".XXXXXX"; + const char *tmpdir = getenv("TMPDIR") ? : P_tmpdir; + unsigned tmplen = strlen(tmpdir); + unsigned proglen = sizeof(progname) - 1; + char tmpFileName[2 + tmplen + proglen + sizeof(suffix)]; /* Generate a temporary file name */ - /* If the glibc is used, the linker issues a warning at this point. This is - very thoughtful of him, but does not apply to NEdit. The recommended - replacement mkstemp(3) uses the same algorithm as NEdit, namely - 1. Create a filename - 2. Open the file with the O_CREAT|O_EXCL flags - So all an attacker can do is a DoS on the print function. */ - tmpnam(tmpFileName); + memcpy(tmpFileName, tmpdir, tmplen); + tmpFileName[tmplen] = '/'; + memcpy(tmpFileName + tmplen + 1, progname, proglen); + memcpy(tmpFileName + tmplen + 1 + proglen, suffix, sizeof(suffix)); /* open the temporary file */ -#ifdef VMS - if ((fp = fopen(tmpFileName, "w", "rfm = stmlf")) == NULL) -#else - if ((fd = open(tmpFileName, O_CREAT|O_EXCL|O_WRONLY, S_IRUSR | S_IWUSR)) < 0 || (fp = fdopen(fd, "w")) == NULL) -#endif /* VMS */ + if ((fd = mkstemp(tmpFileName)) < 0 || (fp = fdopen(fd, "w")) == NULL) { DialogF(DF_WARN, parent, 1, "Error while Printing", "Unable to write file for printing:\n%s", "OK", @@ -1340,16 +1338,8 @@ void PrintString(const char *string, int return; } -#ifdef VMS - chmod(tmpFileName, S_IRUSR | S_IWUSR); -#endif - /* write to the file */ -#ifdef IBM_FWRITE_BUG - write(fileno(fp), string, length); -#else fwrite(string, sizeof(char), length, fp); -#endif if (ferror(fp)) { DialogF(DF_ERR, parent, 1, "Error while Printing",