Fix off-by-one bug when truncating tempnam prefix

athos-ribeiro · Girgias · commit cbfd73765a0a · 2023-08-08T09:46:27.000+01:00
The tempnam documentation currently states that "Only the first 63 characters of the prefix are used, the rest are ignored". However when the prefix is 64 characters-long, the current implementation fails to strip the last character, diverging from the documented behavior. This patch fixes the implementation so it matches the documented behavior for that specific case where the prefix is 64 characters long. Closes GH-11870 Signed-off-by: George Peter Banyard <girgias@php.net>
diff --git a/NEWS b/NEWS
@@ -49,6 +49,8 @@ PHP                                                                        NEWS
 
 - Standard:
   . Prevent int overflow on $decimals in number_format. (Marc Bennewitz)
+  . Fixed bug GH-11870 (Fix off-by-one bug when truncating tempnam prefix)
+    (athos-ribeiro)
 
 03 Aug 2023, PHP 8.1.22
 
diff --git a/ext/standard/file.c b/ext/standard/file.c
@@ -834,7 +834,7 @@ PHP_FUNCTION(tempnam)
 	ZEND_PARSE_PARAMETERS_END();
 
 	p = php_basename(prefix, prefix_len, NULL, 0);
-	if (ZSTR_LEN(p) > 64) {
+	if (ZSTR_LEN(p) >= 64) {
 		ZSTR_VAL(p)[63] = '\0';
 	}
 
diff --git a/ext/standard/tests/file/tempnam_variation9.phpt b/ext/standard/tests/file/tempnam_variation9.phpt
@@ -0,0 +1,73 @@
+--TEST--
+Test tempnam() function: usage variations - test prefix maximum size
+--SKIPIF--
+<?php
+if (PHP_OS_FAMILY !== 'Windows') {
+    die("skip Do not run on Windows");
+}
+?>
+--FILE--
+<?php
+/* Testing the maximum prefix size */
+
+echo "*** Testing tempnam() maximum prefix size ***\n";
+$file_path = __DIR__."/tempnamVar9";
+mkdir($file_path);
+
+$pre_prefix = "begin_";
+$post_prefix = "_end";
+$fixed_length = strlen($pre_prefix) + strlen($post_prefix);
+/* An array of prefixes */
+$names_arr = [
+  $pre_prefix . str_repeat("x", 7) . $post_prefix,
+  $pre_prefix . str_repeat("x", 63 - $fixed_length) . $post_prefix,
+  $pre_prefix . str_repeat("x", 64 - $fixed_length) . $post_prefix,
+  $pre_prefix . str_repeat("x", 65 - $fixed_length) . $post_prefix,
+  $pre_prefix . str_repeat("x", 300) . $post_prefix,
+];
+
+foreach($names_arr as $i=>$prefix) {
+    echo "-- Iteration $i --\n";
+    try {
+        $file_name = tempnam("$file_path", $prefix);
+    } catch (Error $e) {
+        echo $e->getMessage(), "\n";
+        continue;
+    }
+
+    $base_name = basename($file_name);
+    echo "File name is => ", $base_name, "\n";
+    echo "File name length is => ", strlen($base_name), "\n";
+
+    if (file_exists($file_name)) {
+        unlink($file_name);
+    }
+}
+rmdir($file_path);
+
+?>
+--CLEAN--
+<?php
+$file_path = __DIR__."/tempnamVar9";
+if (file_exists($file_path)) {
+    array_map('unlink', glob($file_path . "/*"));
+    rmdir($file_path);
+}
+?>
+--EXPECTF--
+*** Testing tempnam() maximum prefix size ***
+-- Iteration 0 --
+File name is => begin_%rx{7}%r_end%r.{6}%r
+File name length is => 23
+-- Iteration 1 --
+File name is => begin_%rx{53}%r_end%r.{6}%r
+File name length is => 69
+-- Iteration 2 --
+File name is => begin_%rx{54}%r_en%r.{6}%r
+File name length is => 69
+-- Iteration 3 --
+File name is => begin_%rx{55}%r_e%r.{6}%r
+File name length is => 69
+-- Iteration 4 --
+File name is => begin_%rx{57}%r%r.{6}%r
+File name length is => 69

Original file line number	Diff line number	Diff line change
`@@ -834,7 +834,7 @@ PHP_FUNCTION(tempnam)`
`834`	`834`	`ZEND_PARSE_PARAMETERS_END();`
`835`	`835`
`836`	`836`	`p = php_basename(prefix, prefix_len, NULL, 0);`
`837`		`- if (ZSTR_LEN(p) > 64) {`
	`837`	`+ if (ZSTR_LEN(p) >= 64) {`
`838`	`838`	`ZSTR_VAL(p)[63] = '\0';`
`839`	`839`	`}`
`840`	`840`