summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTobias Stoeckmann <tobias@stoeckmann.org>2017-04-02 13:37:05 +0200
committerTobias Stoeckmann <tobias@stoeckmann.org>2017-04-02 13:37:05 +0200
commit08dbe8e2f2ab097257e1139f3b246ddf9585bcce (patch)
treef515ad5855ee6100ae625952f6026a7675adfc60
parenta5e60401f9dce39f7f1bcf53ede508c63f5d2ad3 (diff)
Fixed memory leak on file name collision.
If feh_unique_filename encounters a file that already exists, the memory for the temporary filename is not released. As this happens in /tmp at some code places, an attacker could use this to spray the memory of feh, or simply triggering an out of memory condition. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
-rw-r--r--src/utils.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/src/utils.c b/src/utils.c
index bd189d3..8372d8f 100644
--- a/src/utils.c
+++ b/src/utils.c
@@ -169,9 +169,11 @@ char *feh_unique_filename(char *path, char *basename)
ppid = getpid();
snprintf(cppid, sizeof(cppid), "%06ld", (long) ppid);
+ tmpname = NULL;
/* make sure file doesn't exist */
do {
snprintf(num, sizeof(num), "%06ld", i++);
+ free(tmpname);
tmpname = estrjoin("", path, "feh_", cppid, "_", num, "_", basename, NULL);
}
while (stat(tmpname, &st) == 0);