===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/cvs/checkout.c,v
retrieving revision 1.85
retrieving revision 1.86
diff -c -r1.85 -r1.86
*** src/usr.bin/cvs/checkout.c	2007/01/26 21:48:17	1.85
--- src/usr.bin/cvs/checkout.c	2007/01/26 21:59:11	1.86
***************
*** 1,4 ****
! /*	$OpenBSD: checkout.c,v 1.85 2007/01/26 21:48:17 xsa Exp $	*/
  /*
   * Copyright (c) 2006 Joris Vink <joris@openbsd.org>
   *
--- 1,4 ----
! /*	$OpenBSD: checkout.c,v 1.86 2007/01/26 21:59:11 otto Exp $	*/
  /*
   * Copyright (c) 2006 Joris Vink <joris@openbsd.org>
   *
***************
*** 203,210 ****
  	time_t rcstime;
  	CVSENTRIES *ent;
  	struct timeval tv[2];
! 	char *template, *p, *entry, rev[16], timebuf[64];
! 	char kbuf[8], tbuf[32], stickytag[32];
  
  	rcsnum_tostr(rnum, rev, sizeof(rev));
  
--- 203,210 ----
  	time_t rcstime;
  	CVSENTRIES *ent;
  	struct timeval tv[2];
! 	char template[MAXPATHLEN], *p, entry[CVS_ENT_MAXLINELEN], rev[16];
! 	char timebuf[64], kbuf[8], tbuf[32], stickytag[32];
  
  	rcsnum_tostr(rnum, rev, sizeof(rev));
  
***************
*** 289,295 ****
  			    "-k%s", cf->file_rcs->rf_expand);
  	}
  
- 	entry = xmalloc(CVS_ENT_MAXLINELEN);
  	l = snprintf(entry, CVS_ENT_MAXLINELEN, "/%s/%s/%s/%s/%s",
  	    cf->file_name, rev, timebuf, kbuf, stickytag);
  
--- 289,294 ----
***************
*** 309,327 ****
  		cvs_remote_output(entry);
  
  		if (!(co_flags & CO_COMMIT)) {
! 			(void)xasprintf(&template,
  			    "%s/checkout.XXXXXXXXXX", cvs_tmpdir);
  
  			/* XXX - fd race below */
  			rcs_rev_write_stmp(cf->file_rcs, rnum, template, 0);
  			cvs_remote_send_file(template);
  			cvs_worklist_run(&temp_files, cvs_worklist_unlink);
- 			xfree(template);
  		}
  
  		if (p != NULL)
  			*p = ',';
  	}
- 
- 	xfree(entry);
  }
--- 308,325 ----
  		cvs_remote_output(entry);
  
  		if (!(co_flags & CO_COMMIT)) {
! 			l = snprintf(template, MAXPATHLEN,
  			    "%s/checkout.XXXXXXXXXX", cvs_tmpdir);
+ 			if (l == -1 || l >= (int)sizeof(template))
+ 				fatal("cvs_checkout_file: overflow");
  
  			/* XXX - fd race below */
  			rcs_rev_write_stmp(cf->file_rcs, rnum, template, 0);
  			cvs_remote_send_file(template);
  			cvs_worklist_run(&temp_files, cvs_worklist_unlink);
  		}
  
  		if (p != NULL)
  			*p = ',';
  	}
  }