From 5459104358d385fa2c1b34dd228e5c47bf3bce2f Mon Sep 17 00:00:00 2001
From: Guy Harris <guy@alum.mit.edu>
Date: Wed, 30 Oct 2019 14:56:32 -0700
Subject: Fix the temporary file string buffer expansion.

The buffer needs to be big enough to include the trailing '\0', so we
need to compare the buffer's length against strlen(name) + 1, not
against strlen(name).

Bug: 15751
Change-Id: I75ae65f8c818284834d761d9dd911d029cfca3b1
Reviewed-on: https://code.wireshark.org/review/34892
Petri-Dish: Guy Harris <guy@alum.mit.edu>
Tested-by: Petri Dish Buildbot
Reviewed-by: Guy Harris <guy@alum.mit.edu>
---
 wsutil/tempfile.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'wsutil/tempfile.c')

diff --git a/wsutil/tempfile.c b/wsutil/tempfile.c
index b25f4a5448..40b3de86ff 100644
--- a/wsutil/tempfile.c
+++ b/wsutil/tempfile.c
@@ -114,6 +114,7 @@ create_tempfile(char **namebuf, const char *pfx, const char *sfx)
   struct tm *tm;
   char timestr[14 + 1];
   gchar *tmp_file;
+  size_t tmp_file_strsize;
   gchar *safe_pfx;
   gchar sep[2] = {0, 0};
 
@@ -154,8 +155,9 @@ create_tempfile(char **namebuf, const char *pfx, const char *sfx)
   sep[0] = G_DIR_SEPARATOR;
   tmp_file = g_strconcat(tmp_dir, sep, safe_pfx, "_", timestr, "_", TMP_FILE_SUFFIX, sfx, NULL);
   g_free(safe_pfx);
-  if (strlen(tmp_file) > tf[idx].len) {
-    tf[idx].len = strlen(tmp_file) + 1;
+  tmp_file_strsize = strlen(tmp_file) + 1;
+  if (tmp_file_strsize > tf[idx].len) {
+    tf[idx].len = tmp_file_strsize;
     tf[idx].path = (char *)g_realloc(tf[idx].path, tf[idx].len);
   }
   g_strlcpy(tf[idx].path, tmp_file, tf[idx].len);
-- 
cgit v1.2.3