#10 Bug: >0 separators will lead to a buffer overflow

[Seth Hetu]

There is a problem with using separators, as exhibited in the following code, from Xmt/Menu.c, lines 346 and 378:
char namebuf[10];
sprintf(namebuf, "separator%d", numsep);

The problem is that "separator" is 9 characters, "numsep" is at least one digit/character, and the trailing '\0' is also one character. So: 9+1+1 = 11 > 10, the buffer's capacity. This will cause a buffer overflow for ALL values of numsep, and this code is invoked whenever a Menu Separator is added.

namebuf should be changed to at least 11 bytes in length, although you might want to change it to at least 13 (in case the user has >9 or >99 separators). I have attached a patch which changes it to 20 bytes as a precaution.

This bug will cause the program to silently corrupt memory.

[Seth Hetu]

Patch changing buffer size to 20.