diff -rup qemu-kvm-0.15.1/block/vvfat.c frob/block/vvfat.c

--- qemu-kvm-0.15.1/block/vvfat.c	2012-07-29 20:56:28.318227757 -0400

+++ frob/block/vvfat.c	2012-07-29 20:59:15.537859208 -0400

@@ -2795,7 +2795,12 @@ static int enable_write_target(BDRVVVFAT

     array_init(&(s->commits), sizeof(commit_t));

     s->qcow_filename = qemu_malloc(1024);

-    get_tmp_filename(s->qcow_filename, 1024);

+    ret = get_tmp_filename(s->qcow_filename, 1024);

+    if (ret < 0) {

+        free(s->qcow_filename);

+        s->qcow_filename = NULL;

+        return ret;

+    }

     bdrv_qcow = bdrv_find_format("qcow");

     options = parse_option_parameters("", bdrv_qcow->create_options, NULL);

diff -rup qemu-kvm-0.15.1/block.c frob/block.c

--- qemu-kvm-0.15.1/block.c	2012-07-29 20:56:28.367221495 -0400

+++ frob/block.c	2012-07-29 20:58:24.931326050 -0400

@@ -254,28 +254,36 @@ int bdrv_create_file(const char* filenam

     return bdrv_create(drv, filename, options);

 }

-#ifdef _WIN32

-void get_tmp_filename(char *filename, int size)

+/*

+ * Create a uniquely-named empty temporary file.

+ * Return 0 upon success, otherwise a negative errno value.

+ */

+int get_tmp_filename(char *filename, int size)

 {

+#ifdef _WIN32

     char temp_dir[MAX_PATH];

-

-    GetTempPath(MAX_PATH, temp_dir);

-    GetTempFileName(temp_dir, "qem", 0, filename);

-}

+    /* GetTempFileName requires that its output buffer (4th param)

+       have length MAX_PATH or greater.  */

+    assert(size >= MAX_PATH);

+    return (GetTempPath(MAX_PATH, temp_dir)

+            && GetTempFileName(temp_dir, "qem", 0, filename)

+            ? 0 : -GetLastError());

 #else

-void get_tmp_filename(char *filename, int size)

-{

     int fd;

     const char *tmpdir;

-    /* XXX: race condition possible */

     tmpdir = getenv("TMPDIR");

     if (!tmpdir)

         tmpdir = "/tmp";

-    snprintf(filename, size, "%s/vl.XXXXXX", tmpdir);

+    if (snprintf(filename, size, "%s/vl.XXXXXX", tmpdir) >= size) {

+        return -EOVERFLOW;

+    }

     fd = mkstemp(filename);

-    close(fd);

-}

+    if (fd < 0 || close(fd)) {

+        return -errno;

+    }

+    return 0;

 #endif

+}

 /*

  * Detect host devices. By convention, /dev/cdrom[N] is always

@@ -555,7 +563,10 @@ int bdrv_open(BlockDriverState *bs, cons

         bdrv_delete(bs1);

-        get_tmp_filename(tmp_filename, sizeof(tmp_filename));

+        ret = get_tmp_filename(tmp_filename, sizeof(tmp_filename));

+        if (ret < 0) {

+            return ret;

+        }

         /* Real path is meaningless for protocols */

         if (is_protocol)

diff -rup qemu-kvm-0.15.1/block_int.h frob/block_int.h

--- qemu-kvm-0.15.1/block_int.h	2011-10-19 09:54:48.000000000 -0400

+++ frob/block_int.h	2012-07-29 20:58:24.932325925 -0400

@@ -216,7 +216,7 @@ struct BlockDriverAIOCB {

     BlockDriverAIOCB *next;

 };

-void get_tmp_filename(char *filename, int size);

+int get_tmp_filename(char *filename, int size);

 void *qemu_aio_get(AIOPool *pool, BlockDriverState *bs,

                    BlockDriverCompletionFunc *cb, void *opaque);