Fix mkdtemp() random signedness · jcs.org/mutt@9b965fa

mutt stable branch with some hacks

Fix mkdtemp() random signedness

time_t return of time() may be signed 32-bit and in that case
probably will roll over in the year 2038 and yield a negative
value; signedness was propagated in the XOR operation to the
'value' and then 'v' variables. The 'v % 62' operation then would
had resulted in a negative value and LETTER[v%62] would had
accessed an arbitrary data location.

The same could had happened if the static long 'value' variable
after a very long run time contained a sufficiently large value to
which the time^pid value added resulted in a wrap / roll-over to a
negative value.

Using unsigned long types for 'value' and 'v' and casting time_t
to unsigned long cures all this.

authored by

Eike Rathke and committed by

Kevin McCarthy 7 years ago 9b965fac 9a3b8a7c

+3 -3

1 changed file

expand all

mkdtemp.c

+3 -3

mkdtemp.c

··· 10 10 char *mkdtemp (char *tmpl) 11 11 { 12 12 static const char LETTERS[] = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"; 13 - static long value = 0; 14 - long v; 13 + static unsigned long value = 0; 14 + unsigned long v; 15 15 int len; 16 16 int i, j; 17 17 ··· 22 22 return NULL; 23 23 } 24 24 25 - value += ((long) time (NULL)) ^ getpid (); 25 + value += ((unsigned long) time (NULL)) ^ getpid (); 26 26 27 27 for (i = 0; i < 7 ; ++i, value += 7777) 28 28 {