Lennart Augustsson wrote:
> 
> 
> > As usual, the code in gettemp.c looks fine...
> Does it?
> 
> > 
> >         /* Move to end of path and count trailing X's. */
> >         for (trv = path; *trv; ++trv) */   
> >                 if (*trv == 'X')
> >                         xcnt++;
> >                 else    
> >                         xcnt = 0;
> > 
> >         /* Use at least one from xtra.  Use 2 if more than 6 X's. */
> >         if (*(trv-1) == 'X')
> Maybe I've not had enough coffee, but isn't code in gettemp.c
> missing a lot of tests?  The trv pointer should never point
> before path, but it can.  Imagine path being "", then trv
> will point at the NUL byte, and *(trv-1) will access the byte
> before the passed argument.
> 
> I don't know if this is the cause of your problem, but it
> sure looks buggy to me.

Fair enough, but in my case path is "/tmp/dico.XXXX" so *(trv-1) really
is 'X'. I also tried changing for() to while() so that trv really must
point at the NUL at the end of path. I had also assumed that path would
be checked in mkstemp which calls gettemp, but no, you're right, sending
an empty path should break.

Cheers,

Patrick