Timing-safe comparisons:
- crypto.c: Replace memcmp with CRYPTO_memcmp for Secret equality,
require equal lengths before comparing
- remote_control.py: Constant-time password lookup to avoid leaking
valid passwords via dict hash timing
- file_transmission.py: Use hmac.compare_digest for bypass token
comparison instead of ==
Memory safety:
- child-monitor.c: Fix inverted condition in write_to_peer that
prevented memmove from ever executing on partial writes
- ibus_glfw.c: Null-terminate IBUS_ADDRESS copy to prevent string
overread when strlen >= PATH_MAX
- x11_window.c: Add NULL checks after realloc in clipboard/DnD
data handling (two sites)
- dnd.c: Cap accepted_mimes at 1MB to prevent unbounded growth,
fix realloc to not lose the original pointer on failure
- png-reader.c: Cast to size_t before multiplication to prevent
integer overflow on 32-bit platforms
Secrets hygiene:
- disk-cache.c: Zero encryption_key with explicit_bzero before free
Tar extraction hardening:
- tar.go: Validate hardlink targets against destination prefix to
prevent writing outside extraction directory
- tar.go: Strip setuid/setgid/sticky bits from extracted files
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
When kitty loses focus and the user scrolls in another
application, X11 XI scroll valuators accumulate position values. When the
user returns to kitty and scrolls, delta (value - v->value) uses the stale
pre-focus-loss value, causing a massive unexpected scroll jump.
Fix: reset scroll valuators (mark them uninitialized) on FocusOut so the
first scroll event after focus is regained sets the baseline without firing
a scroll event.
Fixes#9703Fixes#9707
Wayland (glfw/wl_window.c):
- Fix out-of-bounds access in send_drag_data: look up item by MIME type
instead of using the data-request index i to index _glfw.drag.items[].
The compositor calls drag_source_send once per target window entered,
so _glfw.wl.drag.count grows independently of item_count, causing
_glfw.drag.items[i] to be out-of-bounds on the second drag, yielding a
garbage optional_data pointer that made write() fail with EFAULT.
- Fix protocol error "Drag has not ended": change on_fail and the
GLFW_DRAG_DATA_REQUEST error path to call finish_drag_write(i)+return
instead of cancel_drag(), which was calling wl_data_source_destroy()
before the compositor ended the drag, violating the Wayland protocol.
- Fix double-free of dr.pending_data: null the pointer after free and
add cleanup to finish_drag_write().
- Fix missing finish_drag_write() after a full write in data-request
mode, which left the pipe open causing the target to wait for EOF.
X11 (glfw/x11_window.c):
- Wrap XSendEvent() calls in send_xdnd_enter/position/leave/drop with
_glfwGrabErrorHandlerX11()/_glfwReleaseErrorHandlerX11(). A target
window destroyed between discovery and message delivery produced a
BadWindow error that hit the default X11 abort handler. Now handled
gracefully by clearing current_target or cancelling the drag."
Fixes#9677Fixes#9683
Apparently when running under XWayland, we cant rely on libinput to
detect highres scroll devices. Sigh. Linux input is such a disaster.
Dunno if this will break something else, hopefully not.
Fixes#9649
This does not match X11/macOS behavior. And I see no logical reason why
it should be so. The wheel_scroll_multiplier should be used to adjust
this by end users.
