*** nedit-5.5.ORIG/source/file.c	Tue Aug 24 11:37:24 2004
--- nedit-5.5/source/file.c	Thu Dec 29 11:25:07 2005
***************
*** 1314,1320 ****
  */
  void PrintString(const char *string, int length, Widget parent, const char *jobName)
  {
!     char tmpFileName[L_tmpnam];    /* L_tmpnam defined in stdio.h */
      FILE *fp;
      int fd;
  
--- 1314,1320 ----
  */
  void PrintString(const char *string, int length, Widget parent, const char *jobName)
  {
!     char *tmpFileName=strdup("/tmp/neditXXXXXX");
      FILE *fp;
      int fd;
  
***************
*** 1325,1338 ****
  	    1. Create a filename
  	    2. Open the file with the O_CREAT|O_EXCL flags
  	So all an attacker can do is a DoS on the print function. */
!     tmpnam(tmpFileName);
  
      /* open the temporary file */
! #ifdef VMS
!     if ((fp = fopen(tmpFileName, "w", "rfm = stmlf")) == NULL)
! #else
!     if ((fd = open(tmpFileName, O_CREAT|O_EXCL|O_WRONLY, S_IRUSR | S_IWUSR)) < 0 || (fp = fdopen(fd, "w")) == NULL)
! #endif /* VMS */
      {
          DialogF(DF_WARN, parent, 1, "Error while Printing",
                  "Unable to write file for printing:\n%s", "OK",
--- 1325,1334 ----
  	    1. Create a filename
  	    2. Open the file with the O_CREAT|O_EXCL flags
  	So all an attacker can do is a DoS on the print function. */
!     fd = mkstemp(tmpFileName);
  
      /* open the temporary file */
!     if ((fp = fdopen(fd, "w")) == NULL)
      {
          DialogF(DF_WARN, parent, 1, "Error while Printing",
                  "Unable to write file for printing:\n%s", "OK",
***************
*** 1346,1352 ****
      
      /* write to the file */
  #ifdef IBM_FWRITE_BUG
!     write(fileno(fp), string, length);
  #else
      fwrite(string, sizeof(char), length, fp);
  #endif
--- 1342,1348 ----
      
      /* write to the file */
  #ifdef IBM_FWRITE_BUG
!     write(fd, string, length);
  #else
      fwrite(string, sizeof(char), length, fp);
  #endif
***************
*** 1356,1361 ****
--- 1352,1358 ----
                  "%s not printed:\n%s", "OK", jobName, errorString());
          fclose(fp); /* should call close(fd) in turn! */
          remove(tmpFileName);
+         free(tmpFileName);
          return;
      }
      
***************
*** 1366,1371 ****
--- 1363,1369 ----
                  "Error closing temp. print file:\n%s", "OK",
                  errorString());
          remove(tmpFileName);
+         free(tmpFileName);
          return;
      }
  
***************
*** 1377,1382 ****
--- 1375,1381 ----
      PrintFile(parent, tmpFileName, jobName);
      remove(tmpFileName);
  #endif /*VMS*/
+     free(tmpFileName);
      return;
  }