diff -rup qemu-kvm-0.15.1/block/vvfat.c frob/block/vvfat.c
--- qemu-kvm-0.15.1/block/vvfat.c 2012-07-29 20:56:28.318227757 -0400
+++ frob/block/vvfat.c 2012-07-29 20:59:15.537859208 -0400
@@ -2795,7 +2795,12 @@ static int enable_write_target(BDRVVVFAT
array_init(&(s->commits), sizeof(commit_t));
s->qcow_filename = qemu_malloc(1024);
- get_tmp_filename(s->qcow_filename, 1024);
+ ret = get_tmp_filename(s->qcow_filename, 1024);
+ if (ret < 0) {
+ free(s->qcow_filename);
+ s->qcow_filename = NULL;
+ return ret;
+ }
bdrv_qcow = bdrv_find_format("qcow");
options = parse_option_parameters("", bdrv_qcow->create_options, NULL);
diff -rup qemu-kvm-0.15.1/block.c frob/block.c
--- qemu-kvm-0.15.1/block.c 2012-07-29 20:56:28.367221495 -0400
+++ frob/block.c 2012-07-29 20:58:24.931326050 -0400
@@ -254,28 +254,36 @@ int bdrv_create_file(const char* filenam
return bdrv_create(drv, filename, options);
}
-#ifdef _WIN32
-void get_tmp_filename(char *filename, int size)
+/*
+ * Create a uniquely-named empty temporary file.
+ * Return 0 upon success, otherwise a negative errno value.
+ */
+int get_tmp_filename(char *filename, int size)
{
+#ifdef _WIN32
char temp_dir[MAX_PATH];
-
- GetTempPath(MAX_PATH, temp_dir);
- GetTempFileName(temp_dir, "qem", 0, filename);
-}
+ /* GetTempFileName requires that its output buffer (4th param)
+ have length MAX_PATH or greater. */
+ assert(size >= MAX_PATH);
+ return (GetTempPath(MAX_PATH, temp_dir)
+ && GetTempFileName(temp_dir, "qem", 0, filename)
+ ? 0 : -GetLastError());
#else
-void get_tmp_filename(char *filename, int size)
-{
int fd;
const char *tmpdir;
- /* XXX: race condition possible */
tmpdir = getenv("TMPDIR");
if (!tmpdir)
tmpdir = "/tmp";
- snprintf(filename, size, "%s/vl.XXXXXX", tmpdir);
+ if (snprintf(filename, size, "%s/vl.XXXXXX", tmpdir) >= size) {
+ return -EOVERFLOW;
+ }
fd = mkstemp(filename);
- close(fd);
-}
+ if (fd < 0 || close(fd)) {
+ return -errno;
+ }
+ return 0;
#endif
+}
/*
* Detect host devices. By convention, /dev/cdrom[N] is always
@@ -555,7 +563,10 @@ int bdrv_open(BlockDriverState *bs, cons
bdrv_delete(bs1);
- get_tmp_filename(tmp_filename, sizeof(tmp_filename));
+ ret = get_tmp_filename(tmp_filename, sizeof(tmp_filename));
+ if (ret < 0) {
+ return ret;
+ }
/* Real path is meaningless for protocols */
if (is_protocol)
diff -rup qemu-kvm-0.15.1/block_int.h frob/block_int.h
--- qemu-kvm-0.15.1/block_int.h 2011-10-19 09:54:48.000000000 -0400
+++ frob/block_int.h 2012-07-29 20:58:24.932325925 -0400
@@ -216,7 +216,7 @@ struct BlockDriverAIOCB {
BlockDriverAIOCB *next;
};
-void get_tmp_filename(char *filename, int size);
+int get_tmp_filename(char *filename, int size);
void *qemu_aio_get(AIOPool *pool, BlockDriverState *bs,
BlockDriverCompletionFunc *cb, void *opaque);