- Jun 06, 2017
-
-
Birte Kristina Friesel authored
-
Birte Kristina Friesel authored
-
- Jun 01, 2017
-
-
Birte Kristina Friesel authored
-
- Apr 16, 2017
-
-
Birte Kristina Friesel authored
closes #270
-
Birte Kristina Friesel authored
-
Birte Kristina Friesel authored
-
- Apr 06, 2017
-
-
Olof-Joachim Frahm authored
-
- Apr 05, 2017
-
-
Olof-Joachim Frahm authored
-
Olof-Joachim Frahm authored
-
Olof-Joachim Frahm authored
-
- Apr 04, 2017
-
-
Birte Kristina Friesel authored
-
- Apr 03, 2017
-
-
Birte Kristina Friesel authored
-
- Apr 02, 2017
-
-
Birte Kristina Friesel authored
-
derf authoredCheck malloc return value for NULL.
-
derf authored
Fixed memory leak on file name collision.
-
derf authored
Always terminate strncpy results with '\0'.
-
derf authored
Avoid out of boundary read on empty/broken file.
-
Tobias Stoeckmann authored
If malloc cannot allocate enough memory, it could return NULL. This is not necessarily true for default Linux settings, but can be provoked there as well by adjusting proc entries. Other systems like the *BSD ones definitely do this. The function _emalloc exists for exactly this purpose, so use it instead of calling malloc directly. Signed-off-by:Tobias Stoeckmann <tobias@stoeckmann.org>
-
Tobias Stoeckmann authored
If feh_unique_filename encounters a file that already exists, the memory for the temporary filename is not released. As this happens in /tmp at some code places, an attacker could use this to spray the memory of feh, or simply triggering an out of memory condition. Signed-off-by: -
Tobias Stoeckmann authored
If ereadfile encounters an empty file or the file could not be read, an out ouf boundary read (and possible write) occurs. Always check the return value of fread to be > 0 before processing the result buffer. Signed-off-by: -
Tobias Stoeckmann authored
The strncpy function does not guarantee to end the resulting character sequence with a terminating nul character if not enough space is available. This could be triggered by supplying a sufficiently long output_file option. Signed-off-by:
-
- Apr 01, 2017
-
-
Birte Kristina Friesel authored
-
- Mar 28, 2017
-
-
derf authored
Fix double-free/OOB-write while receiving IPC data
-
- Mar 23, 2017
-
-
Tobias Stoeckmann authored
If a malicious client pretends to be the E17 window manager, it is possible to trigger an out of boundary heap write while receiving an IPC message. The length of the already received message is stored in an unsigned short, which overflows after receiving 64 KB of data. It's comparably small amount of data and therefore achievable for an attacker. When len overflows, realloc() will either be called with a small value and therefore chars will be appended out of bounds, or len + 1 will be exactly 0, in which case realloc() behaves like free(). This could be abused for a later double-free attack as it's even possible to overwrite the free information -- but this depends on the malloc implementation. Signed-off-by:
-
- Feb 26, 2017
-
-
Birte Kristina Friesel authored
-
- Feb 23, 2017
-
-
Birte Kristina Friesel authored
-
- Feb 16, 2017
-
-
Birte Kristina Friesel authored
-
- Jan 22, 2017
-
-
Birte Kristina Friesel authored
-
- Jan 15, 2017
-
-
Birte Kristina Friesel authored
-
- Jan 14, 2017
-
-
Birte Kristina Friesel authored
-
- Jan 12, 2017
-
-
ANogin authored
like %o and %z in slideshow actions (I would like to use this to zoom in, pan, and then use an action to crop the window to zoomed in view).
-
- Jan 11, 2017
-
-
Birte Kristina Friesel authored
-
- Jan 02, 2017
-
-
Birte Kristina Friesel authored
-
- Dec 07, 2016
-
-
Birte Kristina Friesel authored
-
Birte Kristina Friesel authored
-
- Nov 01, 2016
-
-
Birte Kristina Friesel authored
-
- Oct 31, 2016
-
-
Birte Kristina Friesel authored
-
- Oct 30, 2016
-
-
Birte Kristina Friesel authored
-
Birte Kristina Friesel authored
-
Birte Kristina Friesel authored
-
