Skip to content
Snippets Groups Projects
Commit 08dbe8e2 authored by Tobias Stoeckmann's avatar Tobias Stoeckmann
Browse files

Fixed memory leak on file name collision.


If feh_unique_filename encounters a file that already exists, the memory
for the temporary filename is not released. As this happens in /tmp at
some code places, an attacker could use this to spray the memory of feh,
or simply triggering an out of memory condition.

Signed-off-by: default avatarTobias Stoeckmann <tobias@stoeckmann.org>
parent a5e60401
No related branches found
No related tags found
No related merge requests found
......@@ -169,9 +169,11 @@ char *feh_unique_filename(char *path, char *basename)
ppid = getpid();
snprintf(cppid, sizeof(cppid), "%06ld", (long) ppid);
tmpname = NULL;
/* make sure file doesn't exist */
do {
snprintf(num, sizeof(num), "%06ld", i++);
free(tmpname);
tmpname = estrjoin("", path, "feh_", cppid, "_", num, "_", basename, NULL);
}
while (stat(tmpname, &st) == 0);
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment