diff -ur nedit-5.5_CVS20100831/source/file.c nedit-5.5_CVS20100831_f/source/file.c --- nedit-5.5_CVS20100831/source/file.c 2010-08-31 18:47:59.000000000 +0200 +++ nedit-5.5_CVS20100831_f/source/file.c 2010-08-31 18:50:03.000000000 +0200 @@ -1372,7 +1372,7 @@ */ void PrintString(const char *string, int length, Widget parent, const char *jobName) { - char tmpFileName[L_tmpnam]; /* L_tmpnam defined in stdio.h */ + char *tmpFileName=strdup("/tmp/neditXXXXXX"); FILE *fp; int fd; @@ -1383,14 +1383,10 @@ 1. Create a filename 2. Open the file with the O_CREAT|O_EXCL flags So all an attacker can do is a DoS on the print function. */ - tmpnam(tmpFileName); + fd = mkstemp(tmpFileName); /* open the temporary file */ -#ifdef VMS - if ((fp = fopen(tmpFileName, "w", "rfm = stmlf")) == NULL) -#else - if ((fd = open(tmpFileName, O_CREAT|O_EXCL|O_WRONLY, S_IRUSR | S_IWUSR)) < 0 || (fp = fdopen(fd, "w")) == NULL) -#endif /* VMS */ + if ((fp = fdopen(fd, "w")) == NULL) { DialogF(DF_WARN, parent, 1, "Error while Printing", "Unable to write file for printing:\n%s", "OK", @@ -1404,7 +1400,7 @@ /* write to the file */ #ifdef IBM_FWRITE_BUG - write(fileno(fp), string, length); + write(fd, string, length); #else fwrite(string, sizeof(char), length, fp); #endif @@ -1414,6 +1410,7 @@ "%s not printed:\n%s", "OK", jobName, errorString()); fclose(fp); /* should call close(fd) in turn! */ remove(tmpFileName); + free(tmpFileName); return; } @@ -1424,6 +1421,7 @@ "Error closing temp. print file:\n%s", "OK", errorString()); remove(tmpFileName); + free(tmpFileName); return; } @@ -1435,6 +1433,7 @@ PrintFile(parent, tmpFileName, jobName); remove(tmpFileName); #endif /*VMS*/ + free(tmpFileName); return; }