Document number: N1873
Submitter: Martin Sebor
Submission Date: September 29, 2014
Subject: tmpnam_s clears s[0] when maxsize > RSIZE_MAX

Changes From N1752

During a discussion of the paper at the October 2013 meeting the committee requested that the suggested technical corrigendum be broken up into more parts for both clarity and consistency. After a few attempts the author decided that none was clearer or more consistent than the original text. In fact, all of them resulted in cumbersome rephrasing than would make the specification less clear. As a result, this paper leaves the original proposed technical corrigendum unchanged.

Summary

The majority of bounds checking functions are specified to set the first element of the destination buffer, s[0], to the NUL character when a constraint violation occurs and the s pointer is non-null and the size of the buffer is greater than zero and less than or equal to SIZE_MAX.

However, the tmpnam_s function sets s[0] to NUL even when maxsize is greater than RSIZE_MAX, making its behavior on constraint violation inconsistent with the rest.

Suggested Technical Corrigendum

Change paragraph 8 in the Returns section of tmpnam_s to read:

If no suitable string can be generated, or if there is a runtime-constraint violation and s is not null and maxsize is greater than zero and not greater than RSIZE_MAX, the tmpnam_s function writes a null character to s[0] (only if s is not null and maxsize is greater than zero) sets s[0] to the null character and returns a nonzero value.