malloc(sizeof(tmp_name))
will allocate enough space to store one pointer. You then copy up to MAX_PATH_LEN
bytes into that allocation, which is clearly wrong.
You should replace the sizeof(...)
with a correct size calculation, probably 1 + strlen(...)
.
Also, strncpy
will not null terminate the destination buffer if there is no null terminator within the first MAX_PATH_LEN
bytes of tmp_name
. This is probably a bug.