fix potential non-zero termination of a string buffer

Author: Daniel Kroening

src/util/tempdir.cpp

@@ -12,6 +12,8 @@ Author: CM Wintersteiger
 #include <windows.h>
 #include <io.h>
 #include <direct.h>
+#else
+#include <vector>
 #endif
 
 #include <cstdlib>
@@ -34,17 +36,20 @@ std::string get_temporary_directory(const std::string &name_template)
   std::string result;
 
   #ifdef _WIN32
-    DWORD dwBufSize = MAX_PATH;
-    char lpPathBuffer[MAX_PATH];
+    DWORD dwBufSize = MAX_PATH+1;
+    char lpPathBuffer[MAX_PATH+1];
     DWORD dwRetVal = GetTempPathA(dwBufSize, lpPathBuffer);
 
     if(dwRetVal > dwBufSize || (dwRetVal == 0))
       throw "GetTempPath failed"; // NOLINT(readability/throw)
 
-    char t[MAX_PATH];
+    char t[MAX_PATH+1];
 
     strncpy(t, name_template.c_str(), MAX_PATH);
+    t[MAX_PATH]=0; // ensure zero termination
 
+    // the below appends, but Windows doesn't produce path names
+    // longer than MAX_PATH
     UINT uRetVal=GetTempFileNameA(lpPathBuffer, "TLO", 0, t);
     if(uRetVal == 0)
       throw "GetTempFileName failed"; // NOLINT(readability/throw)
@@ -64,9 +69,9 @@ std::string get_temporary_directory(const std::string &name_template)
       prefixed_name_template+='/';
     prefixed_name_template+=name_template;
 
-    char t[1000];
-    strncpy(t, prefixed_name_template.c_str(), 1000);
-    const char *td = mkdtemp(t);
+    std::vector<char> t(prefixed_name_template.begin(), prefixed_name_template.end());
+    t.push_back('\0'); // add the zero
+    const char *td = mkdtemp(t.data());
     if(!td)
       throw "mkdtemp failed";
     result=std::string(td);