Use an explicit runtime check to apply the newer corner styling on macOS 26 while leaving behavior unchanged on older macOS versions for compatibility.
Also add the required QuartzCore framework for linking the corner curve API.
Timing-safe comparisons:
- crypto.c: Replace memcmp with CRYPTO_memcmp for Secret equality,
require equal lengths before comparing
- remote_control.py: Constant-time password lookup to avoid leaking
valid passwords via dict hash timing
- file_transmission.py: Use hmac.compare_digest for bypass token
comparison instead of ==
Memory safety:
- child-monitor.c: Fix inverted condition in write_to_peer that
prevented memmove from ever executing on partial writes
- ibus_glfw.c: Null-terminate IBUS_ADDRESS copy to prevent string
overread when strlen >= PATH_MAX
- x11_window.c: Add NULL checks after realloc in clipboard/DnD
data handling (two sites)
- dnd.c: Cap accepted_mimes at 1MB to prevent unbounded growth,
fix realloc to not lose the original pointer on failure
- png-reader.c: Cast to size_t before multiplication to prevent
integer overflow on 32-bit platforms
Secrets hygiene:
- disk-cache.c: Zero encryption_key with explicit_bzero before free
Tar extraction hardening:
- tar.go: Validate hardlink targets against destination prefix to
prevent writing outside extraction directory
- tar.go: Strip setuid/setgid/sticky bits from extracted files
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
When a USB HID device (keyboard/mouse) is disconnected, X11 fires an
XI_HierarchyChanged event, which triggers read_xi_scroll_devices().
That function calls XIGetProperty() on devices from XIQueryDevice().
There is a race condition: if a device is removed between these calls,
X11 generates an XI_BadDevice error. Without a custom error handler, the
default X11 handler calls exit(), killing kitty.
Fix: wrap the device query loop in read_xi_scroll_devices() with
_glfwGrabErrorHandlerX11() / _glfwReleaseErrorHandlerX11() so that any
XI_BadDevice error is captured by kitty's own handler rather than the
default fatal one.
Fixes#9723Fixes#9724
This ensures that Ctrl+H behaves like Backspace and correctly clears
the pre-edit state, preventing uncommitted characters from remaining
on the screen when using IMEs like the Japanese one on macOS.
When kitty loses focus and the user scrolls in another
application, X11 XI scroll valuators accumulate position values. When the
user returns to kitty and scrolls, delta (value - v->value) uses the stale
pre-focus-loss value, causing a massive unexpected scroll jump.
Fix: reset scroll valuators (mark them uninitialized) on FocusOut so the
first scroll event after focus is regained sets the baseline without firing
a scroll event.
Fixes#9703Fixes#9707
Position the window below the notch by reducing the frame height by
safeAreaInsets.top. Create a fullscreen child window behind it with a
colored subview covering just the notch strip, matching the terminal
background color and opacity.
Also fix background_opacity not triggering a chrome update on config
reload.
Wayland (glfw/wl_window.c):
- Fix out-of-bounds access in send_drag_data: look up item by MIME type
instead of using the data-request index i to index _glfw.drag.items[].
The compositor calls drag_source_send once per target window entered,
so _glfw.wl.drag.count grows independently of item_count, causing
_glfw.drag.items[i] to be out-of-bounds on the second drag, yielding a
garbage optional_data pointer that made write() fail with EFAULT.
- Fix protocol error "Drag has not ended": change on_fail and the
GLFW_DRAG_DATA_REQUEST error path to call finish_drag_write(i)+return
instead of cancel_drag(), which was calling wl_data_source_destroy()
before the compositor ended the drag, violating the Wayland protocol.
- Fix double-free of dr.pending_data: null the pointer after free and
add cleanup to finish_drag_write().
- Fix missing finish_drag_write() after a full write in data-request
mode, which left the pipe open causing the target to wait for EOF.
X11 (glfw/x11_window.c):
- Wrap XSendEvent() calls in send_xdnd_enter/position/leave/drop with
_glfwGrabErrorHandlerX11()/_glfwReleaseErrorHandlerX11(). A target
window destroyed between discovery and message delivery produced a
BadWindow error that hit the default X11 abort handler. Now handled
gracefully by clearing current_target or cancelling the drag."
Fixes#9677Fixes#9683
