Fixed handling of extremely long paths inside tempnam() function.

2 files changed, 5 insertions, 5 deletions

diff --git a/NEWS b/NEWS
index 7f08ae17aa..ca88662636 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,7 @@
 PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2006, PHP 5.2.0
+- Fixed handling of extremely long paths inside tempnam() function. (Ilia)
 - Added control character checks for cURL extension's open_basedir/safe_mode
   checks. (Ilia)
 - Disable realpath cache when open_basedir or safe_mode are enabled on a 
diff --git a/main/php_open_temporary_file.c b/main/php_open_temporary_file.c
index 66453581fb..b2e27e2f79 100644
--- a/main/php_open_temporary_file.c
+++ b/main/php_open_temporary_file.c
@@ -114,17 +114,16 @@ static int php_do_open_temporary_file(const char *path, const char *pfx, char **
 
 	path_len = strlen(path);
 
-	if (!(opened_path = emalloc(MAXPATHLEN))) {
-		return -1;
-	}
-
 	if (!path_len || IS_SLASH(path[path_len - 1])) {
 		trailing_slash = "";
 	} else {
 		trailing_slash = "/";
 	}
 
-	(void)snprintf(opened_path, MAXPATHLEN, "%s%s%sXXXXXX", path, trailing_slash, pfx);
+	if (spprintf(&opened_path, 0, "%s%s%sXXXXXX", path, trailing_slash, pfx) >= MAXPATHLEN) {
+		efree(opened_path);
+		return -1;
+	}
 
 #ifdef PHP_WIN32
 	if (GetTempFileName(path, pfx, 0, opened_path)) {