Index: src/os_unix.c ================================================================== --- src/os_unix.c +++ src/os_unix.c @@ -2510,14 +2510,16 @@ if( !S_ISDIR(buf.st_mode) ) continue; if( access(azDirs[i], 07) ) continue; zDir = azDirs[i]; break; } + if( strlen(zDir) - sizeof(SQLITE_TEMP_FILE_PREFIX) - 17 <=0 ){ + return SQLITE_ERROR; + } do{ assert( pVfs->mxPathname==MAX_PATHNAME ); - assert( nBuf>=MAX_PATHNAME ); - sqlite3_snprintf(MAX_PATHNAME-17, zBuf, "%s/"SQLITE_TEMP_FILE_PREFIX, zDir); + sqlite3_snprintf(nBuf-17, zBuf, "%s/"SQLITE_TEMP_FILE_PREFIX, zDir); j = strlen(zBuf); sqlite3Randomness(15, &zBuf[j]); for(i=0; i<15; i++, j++){ zBuf[j] = (char)zChars[ ((unsigned char)zBuf[j])%(sizeof(zChars)-1) ]; } @@ -2549,20 +2551,20 @@ ** current working directly has been unlinked. */ SimulateIOError( return SQLITE_ERROR ); assert( pVfs->mxPathname==MAX_PATHNAME ); - zOut[MAX_PATHNAME-1] = '\0'; + zOut[nOut-1] = '\0'; if( zPath[0]=='/' ){ - sqlite3_snprintf(MAX_PATHNAME, zOut, "%s", zPath); + sqlite3_snprintf(nOut, zOut, "%s", zPath); }else{ int nCwd; - if( getcwd(zOut, MAX_PATHNAME-1)==0 ){ + if( getcwd(zOut, nOut-1)==0 ){ return SQLITE_CANTOPEN; } nCwd = strlen(zOut); - sqlite3_snprintf(MAX_PATHNAME-nCwd, &zOut[nCwd], "/%s", zPath); + sqlite3_snprintf(nOut-nCwd, &zOut[nCwd], "/%s", zPath); } return SQLITE_OK; #if 0 /* Index: src/os_win.c ================================================================== --- src/os_win.c +++ src/os_win.c @@ -1302,11 +1302,11 @@ return SQLITE_NOMEM; } } for(i=strlen(zTempPath); i>0 && zTempPath[i-1]=='\\'; i--){} zTempPath[i] = 0; - sqlite3_snprintf(pVfs->mxPathname-30, zBuf, + sqlite3_snprintf(nBuf-30, zBuf, "%s\\"SQLITE_TEMP_FILE_PREFIX, zTempPath); j = strlen(zBuf); sqlite3Randomness(20, &zBuf[j]); for(i=0; i<20; i++, j++){ zBuf[j] = (char)zChars[ ((unsigned char)zBuf[j])%(sizeof(zChars)-1) ];