-#include <stdio.h>
-#include <string.h>
-#include "alloca.h"
-#include "intprops.h"
-
-/* Set PROC_FD_FILENAME to the expansion of "/proc/self/fd/%d/%s" in
- alloca'd memory, using FD and FILE, respectively for %d and %s. */
-#define BUILD_PROC_NAME(Proc_fd_filename, Fd, File) \
- do \
- { \
- size_t filelen = strlen (File); \
- static const char procfd[] = "/proc/self/fd/%d/%s"; \
- /* Buffer for the file name we are going to use. It consists of \
- - the string /proc/self/fd/ \
- - the file descriptor number \
- - the file name provided. \
- The final NUL is included in the sizeof. \
- Subtract 4 to account for %d and %s. */ \
- size_t buflen = sizeof (procfd) - 4 + INT_STRLEN_BOUND (Fd) + filelen; \
- (Proc_fd_filename) = alloca (buflen); \
- snprintf ((Proc_fd_filename), buflen, procfd, (Fd), (File)); \
- } \
- while (0)
+#ifndef _GL_HEADER_OPENAT_PRIV
+#define _GL_HEADER_OPENAT_PRIV
+
+#include <errno.h>
+#include <limits.h>
+#include <stdlib.h>
+
+/* Maximum number of bytes that it is safe to allocate as a single
+ array on the stack, and that is known as a compile-time constant.
+ The assumption is that we'll touch the array very quickly, or a
+ temporary very near the array, provoking an out-of-memory trap. On
+ some operating systems, there is only one guard page for the stack,
+ and a page size can be as small as 4096 bytes. Subtract 64 in the
+ hope that this will let the compiler touch a nearby temporary and
+ provoke a trap. */
+#define SAFER_ALLOCA_MAX (4096 - 64)
+
+#define SAFER_ALLOCA(m) ((m) < SAFER_ALLOCA_MAX ? (m) : SAFER_ALLOCA_MAX)
+
+#if defined PATH_MAX
+# define OPENAT_BUFFER_SIZE SAFER_ALLOCA (PATH_MAX)
+#elif defined _XOPEN_PATH_MAX
+# define OPENAT_BUFFER_SIZE SAFER_ALLOCA (_XOPEN_PATH_MAX)
+#else
+# define OPENAT_BUFFER_SIZE SAFER_ALLOCA (1024)
+#endif
+
+char *openat_proc_name (char buf[OPENAT_BUFFER_SIZE], int fd, char const *file);