From 08dbe8e2f2ab097257e1139f3b246ddf9585bcce Mon Sep 17 00:00:00 2001
From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Sun, 2 Apr 2017 13:37:05 +0200
Subject: Fixed memory leak on file name collision.

If feh_unique_filename encounters a file that already exists, the memory
for the temporary filename is not released. As this happens in /tmp at
some code places, an attacker could use this to spray the memory of feh,
or simply triggering an out of memory condition.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
---
 src/utils.c | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'src')

diff --git a/src/utils.c b/src/utils.c
index bd189d3..8372d8f 100644
--- a/src/utils.c
+++ b/src/utils.c
@@ -169,9 +169,11 @@ char *feh_unique_filename(char *path, char *basename)
 	ppid = getpid();
 	snprintf(cppid, sizeof(cppid), "%06ld", (long) ppid);
 
+	tmpname = NULL;
 	/* make sure file doesn't exist */
 	do {
 		snprintf(num, sizeof(num), "%06ld", i++);
+		free(tmpname);
 		tmpname = estrjoin("", path, "feh_", cppid, "_", num, "_", basename, NULL);
 	}
 	while (stat(tmpname, &st) == 0);
-- 
cgit v1.2.3