From fd56152202cf7b431a5d0d060fff4aa5f6cad178 Mon Sep 17 00:00:00 2001
From: Christophe CURIS <christophe.curis@free.fr>
Date: Fri, 14 May 2021 19:06:43 +0200
Subject: [PATCH] WPrefs: fix memory leak and potential buffer overflow

Coverity pointed that the "text" returned by WMGetTextFieldText was never
freed (CID #331578, because WMSetTextFieldText does its own copy, it does
not take the pointer as-is).

By looking at the code, there is also a potential buffer overflow because
the buffer alloc'd for "value" is sized for the exact number of digits
before increase, but the +delta can make the number use more digits so we
may write past the end of original buffer.
We write to a stack-allocated one, so it does not cost anything and does
not participates to memory fragmentation.

Signed-off-by: Christophe CURIS <christophe.curis@free.fr>
---
 WPrefs.app/Expert.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/WPrefs.app/Expert.c b/WPrefs.app/Expert.c
index 157bc393..136074f1 100644
--- a/WPrefs.app/Expert.c
+++ b/WPrefs.app/Expert.c
@@ -146,15 +146,16 @@ typedef struct _Panel {
 static void changeIntTextfield(void *data, int delta)
 {
 	WMTextField *textfield;
-	char *text;
+	char *text, buffer[12];
 	int value;
 
 	textfield = (WMTextField *)data;
 	text = WMGetTextFieldText(textfield);
 	value = atoi(text);
+	wfree(text);
 	value += delta;
-	sprintf(text, "%d", value);
-	WMSetTextFieldText(textfield, text);
+	sprintf(buffer, "%d", value);
+	WMSetTextFieldText(textfield, buffer);
 }
 
 static void downButtonCallback(WMWidget *self, void *data)