diff options
author | Tobias Stoeckmann <tobias@stoeckmann.org> | 2017-04-02 13:37:05 +0200 |
---|---|---|
committer | Tobias Stoeckmann <tobias@stoeckmann.org> | 2017-04-02 13:37:05 +0200 |
commit | 08dbe8e2f2ab097257e1139f3b246ddf9585bcce (patch) | |
tree | f515ad5855ee6100ae625952f6026a7675adfc60 | |
parent | a5e60401f9dce39f7f1bcf53ede508c63f5d2ad3 (diff) |
Fixed memory leak on file name collision.
If feh_unique_filename encounters a file that already exists, the memory
for the temporary filename is not released. As this happens in /tmp at
some code places, an attacker could use this to spray the memory of feh,
or simply triggering an out of memory condition.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
-rw-r--r-- | src/utils.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/src/utils.c b/src/utils.c index bd189d3..8372d8f 100644 --- a/src/utils.c +++ b/src/utils.c @@ -169,9 +169,11 @@ char *feh_unique_filename(char *path, char *basename) ppid = getpid(); snprintf(cppid, sizeof(cppid), "%06ld", (long) ppid); + tmpname = NULL; /* make sure file doesn't exist */ do { snprintf(num, sizeof(num), "%06ld", i++); + free(tmpname); tmpname = estrjoin("", path, "feh_", cppid, "_", num, "_", basename, NULL); } while (stat(tmpname, &st) == 0); |