2 files changed, 41 insertions, 34 deletions

diff --git a/g10/ChangeLog b/g10/ChangeLog
index c33f3b16e..0ffc85094 100644
--- a/g10/ChangeLog
+++ b/g10/ChangeLog
@@ -1,3 +1,8 @@
+2006-11-27  Werner Koch  <[email protected]>
+
+	* openfile.c (ask_outfile_name): Fixed buffer overflow occurring
+	if make_printable_string returns a longer string.  Fixes bug 728.
+
 2006-11-21  Werner Koch  <[email protected]>
 
 	* Makefile.am (needed_libs): libgnu needs to come after libcommon.
diff --git a/g10/openfile.c b/g10/openfile.c
index 5e3ae3fa8..6f004ecf1 100644
--- a/g10/openfile.c
+++ b/g10/openfile.c
@@ -95,7 +95,7 @@ overwrite_filep( const char *fname )
 
 
 /****************
- * Strip know extensions from iname and return a newly allocated
+ * Strip known extensions from iname and return a newly allocated
  * filename.  Return NULL if we can't do that.
  */
 char *
@@ -126,45 +126,47 @@ make_outfile_name( const char *iname )
 }
 
 
-/****************
- * Ask for a outputfilename and use the given one as default.
- * Return NULL if no file has been given or it is not possible to
- * ask the user.
+/* Ask for an output filename; use the given one as default.  Return
+   NULL if no file has been given or if it is not possible to ask the
+   user.  NAME is the template len which might conatin enbedded Nuls.
+   NAMELEN is its actual length.
  */
 char *
 ask_outfile_name( const char *name, size_t namelen )
 {
-    size_t n;
-    const char *s;
-    char *prompt;
-    char *fname;
-    char *defname;
-
-    if( opt.batch )
-	return NULL;
+  size_t n;
+  const char *s;
+  char *prompt;
+  char *fname;
+  char *defname;
 
-    s = _("Enter new filename");
-
-    n = strlen(s) + namelen + 10;
-    defname = name && namelen? make_printable_string( name, namelen, 0): NULL;
-    prompt = xmalloc(n);
-    if( defname )
-	sprintf(prompt, "%s [%s]: ", s, defname );
-    else
-	sprintf(prompt, "%s: ", s );
-    tty_enable_completion(NULL);
-    fname = cpr_get("openfile.askoutname", prompt );
-    cpr_kill_prompt();
-    tty_disable_completion();
-    xfree(prompt);
-    if( !*fname ) {
-	xfree( fname ); fname = NULL;
-	fname = defname; defname = NULL;
+  if ( opt.batch )
+    return NULL;
+  
+  defname = name && namelen? make_printable_string (name, namelen, 0) : NULL;
+
+  s = _("Enter new filename");
+  n = strlen(s) + (defname?strlen (defname):0) + 10;
+  prompt = xmalloc (n);
+  if (defname)
+    snprintf (prompt, n-1, "%s [%s]: ", s, defname );
+  else
+    snprintf (prompt, n-1, "%s: ", s );
+  tty_enable_completion(NULL);
+  fname = cpr_get ("openfile.askoutname", prompt );
+  cpr_kill_prompt ();
+  tty_disable_completion ();
+  xfree (prompt);
+  if ( !*fname ) 
+    {
+      xfree (fname); 
+      fname = defname;
+      defname = NULL;
     }
-    xfree(defname);
-    if (fname)
-        trim_spaces (fname);
-    return fname;
+  xfree (defname);
+  if (fname)
+    trim_spaces (fname);
+  return fname;
 }