MFH: Fixed handling of extremely long paths inside tempnam() function.

2 files changed, 5 insertions, 5 deletions

diff --git a/NEWS b/NEWS
index 0b92cc2485..0d02ce22c6 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,7 @@
 PHP 4                                                                      NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2006, Version 4.4.3
+- Fixed handling of extremely long paths inside tempnam() function. (Ilia)
 
 21 May 2006, Version 4.4.3RC1
 - Added control character checks for cURL extension's open_basedir/safe_mode
diff --git a/main/php_open_temporary_file.c b/main/php_open_temporary_file.c
index 93daa91495..e870db76f1 100644
--- a/main/php_open_temporary_file.c
+++ b/main/php_open_temporary_file.c
@@ -115,17 +115,16 @@ static int php_do_open_temporary_file(const char *path, const char *pfx, char **
 
 	path_len = strlen(path);
 
-	if (!(opened_path = emalloc(MAXPATHLEN))) {
-		return -1;
-	}
-
 	if (!path_len || IS_SLASH(path[path_len - 1])) {
 		trailing_slash = "";
 	} else {
 		trailing_slash = "/";
 	}
 
-	(void)snprintf(opened_path, MAXPATHLEN, "%s%s%sXXXXXX", path, trailing_slash, pfx);
+	if (spprintf(&opened_path, 0, "%s%s%sXXXXXX", path, trailing_slash, pfx) >= MAXPATHLEN) {
+		efree(opened_path);
+		return -1;
+	}
 
 #ifdef PHP_WIN32
 	if (GetTempFileName(path, pfx, 0, opened_path)) {