Ticket #42718: patch-mktemp-fixes-v0

diff --git a/Source/PLCrashAsyncFile.cpp b/Source/PLCrashAsyncFile.cpp
index c0c6e36..83f59e2 100644
--- a/Source/PLCrashAsyncFile.cpp
+++ b/Source/PLCrashAsyncFile.cpp
@@ -26,6 +26,8 @@
 
 #include "PLCrashAsyncFile.hpp"
 
+#include "SecureRandom.hpp"
+
 #include <unistd.h>
 #include <errno.h>
 
@@ -114,14 +116,14 @@ ssize_t AsyncFile::readn (int fd, void *data, size_t len) {
  *
  * @param pathTemplate A writable template.
  * @param mode The file mode for the target file. The file will be created with this mode, modified by the process' umask value.
+ * @param outfd On success, a read/write file descriptor.
  *
- * @return A file descriptor open for reading and writing, or an error if the target path can not be opened. This
- * method may fail for any reason specified by open(2).
+ * @return PLCRASH_ESUCCESS if the temporary file was successfully opened, or an error if the target path can not be opened.
  *
  * @warning While this method is a loose analogue of libc mkstemp(3), the semantics differ, and API clients should not
- * rely on any particular similarities with the standard library function.
+ * rely on any similarities with the standard library function that are not explicitly documented.
  */
-int AsyncFile::mktemp (char *ptemplate, mode_t mode) {
+plcrash_error_t AsyncFile::mktemp (char *ptemplate, mode_t mode, int *outfd) {
     /* Characters to use for padding */
     static const char padchar[] = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
 
@@ -149,21 +151,57 @@ int AsyncFile::mktemp (char *ptemplate, mode_t mode) {
             }
         }
     }
-
-    int fd;
-    do {
-        /* Insert random suffix into the template. */
-        for (size_t i = 0; i < suffix_len; i++) {
-            // XXXTODO: The use of arc4random_uniform() is not async-safe.
-            // This is a stand-in until we can implement async-safe random deriviation.
-            ptemplate[suffix_i + i] = padchar[arc4random_uniform(sizeof(padchar) - 1)];
+    
+    /* Insert random suffix into the template. */
+    SecureRandom rnd = SecureRandom();
+    for (size_t i = 0; i < suffix_len; i++) {
+        plcrash_error_t err;
+        uint32_t charIndex;
+        
+        /* Try to read a random suffix character */
+        if ((err = rnd.uniform(sizeof(padchar) - 1, &charIndex)) != PLCRASH_ESUCCESS) {
+            PLCF_DEBUG("Failed to fetch bytes from SecureRandom.uniform(): %s", plcrash_async_strerror(err));
+            return err;
         }
         
+        /* Update the suffix. */
+        PLCF_ASSERT(charIndex < sizeof(padchar));
+        ptemplate[suffix_i + i] = padchar[charIndex];
+    }
+    
+    /* Save a copy of the suffix. We use this to determine when roll-over occurs while trying all possible combinations. */
+    char original_suffix[suffix_len];
+    plcrash_async_memcpy(original_suffix, &ptemplate[suffix_i], suffix_len);
+    
+    /* Loop until open(2) either succeeds, returns an error other than EEXIST, or we've tried every available combination. */
+    int fd;
+    int open_errno = 0;
+    do {
         /* Try to open the file. */
         fd = open(ptemplate, O_CREAT|O_EXCL|O_RDWR, mode);
+        
+        /* Terminate our loop on success */
+        if (fd >= 0)
+            break;
+
+        /* Save errno so we can safely log it later */
+        open_errno = errno;
+
+        /* Terminate if we get an error other than EEXIST */
+        if (open_errno != EEXIST)
+            break;
     } while (fd < 0);
+    
+    /* Check for open() failure */
+    if (fd < 0) {
+        PLCF_DEBUG("Failed to open output file in mktemp(): %d", open_errno);
+        return PLCRASH_OUTPUT_ERR;
+    }
 
-    return fd;
+    /* Provide the successful result */
+    PLCF_ASSERT(fd >= 0);
+    *outfd = fd;
+    return PLCRASH_ESUCCESS;
 }
 
 /**
diff --git a/Source/PLCrashAsyncFile.hpp b/Source/PLCrashAsyncFile.hpp
index 20e7994..49566a9 100644
--- a/Source/PLCrashAsyncFile.hpp
+++ b/Source/PLCrashAsyncFile.hpp
@@ -51,7 +51,7 @@ public:
     static ssize_t writen (int fd, const void *data, size_t len);
     static ssize_t readn (int fd, void *data, size_t len);
 
-    static int mktemp (char *ptemplate, mode_t mode);
+    static plcrash_error_t mktemp (char *ptemplate, mode_t mode, int *outfd);
 
     AsyncFile (int fd, off_t output_limit);
 
diff --git a/Source/PLCrashAsyncFileTests.mm b/Source/PLCrashAsyncFileTests.mm
index 41fb574..52de465 100644
--- a/Source/PLCrashAsyncFileTests.mm
+++ b/Source/PLCrashAsyncFileTests.mm
@@ -120,8 +120,8 @@ using namespace plcrash::async;
     }
 
     /* Try creating the temporary file */
-    _tempFD = AsyncFile::mktemp(ptemplate, 0600);
-    STAssertTrue(_tempFD >= 0, @"Failed to create output file");
+    STAssertEquals(PLCRASH_ESUCCESS, AsyncFile::mktemp(ptemplate, 0600, &_tempFD), @"mktemp() returned an error");
+    STAssertTrue(_tempFD >= 0, @"Failed to create output file descriptor");
     _tempOutputFile = [[[NSString alloc] initWithUTF8String: ptemplate] retain];
     STAssertNotNil(_tempOutputFile, @"String initialization failed for '%s'", ptemplate);
 
@@ -142,6 +142,21 @@ using namespace plcrash::async;
     free(ptemplate);
 }
 
+/**
+ * Test temporary file handling; verify that termination occurs if all possible combinations exist on disk.
+ */
+- (void) testMkTempTermination {
+    /* Generate a template string; the lack of 'X' suffix characters gaurantees that there's only one possible combination. */
+    char *ptemplate = strdup([[NSTemporaryDirectory() stringByAppendingPathComponent: @"mktemp_test"] fileSystemRepresentation]);
+
+    /* Verify that mktemp() succeds when the path does not exist ... */
+    STAssertEquals(PLCRASH_ESUCCESS, AsyncFile::mktemp(ptemplate, 0600, &_tempFD), @"mktemp() returned an error");
+    close(_tempFD);
+
+    /* ... and returns an error when the path does exist */
+    STAssertEquals(PLCRASH_OUTPUT_ERR, AsyncFile::mktemp(ptemplate, 0600, &_tempFD), @"mktemp() did not return an error");
+}
+
 /* Writer thread used for testReadWriteN */
 struct background_writer_ctx {
     int wfd;