From 7c1b655ca3fd6c324e152254f894be8af6322393 Mon Sep 17 00:00:00 2001
From: Frank <frank.moehle@outlook.de>
Date: Mon, 2 Jan 2023 22:38:22 +0100
Subject: [PATCH] fix array-of-out-bounds writes

fixing two dangerous (unguarded) array writes that can cause stack corruption
---
 wled00/set.cpp | 4 ++--
 wled00/xml.cpp | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/wled00/set.cpp b/wled00/set.cpp
index e01c27d2..8c331570 100644
--- a/wled00/set.cpp
+++ b/wled00/set.cpp
@@ -658,8 +658,8 @@ void handleSettingsSet(AsyncWebServerRequest *request, byte subPage)
       strip.panel.reserve(strip.panels); // pre-allocate memory
       for (uint8_t i=0; i<strip.panels; i++) {
         WS2812FX::Panel p;
-        char pO[8]; sprintf_P(pO, PSTR("P%d"), i);
-        uint8_t l = strlen(pO); pO[l+1] = 0;
+        char pO[8] = {'\0'}; snprintf_P(pO, 8, PSTR("P%d"), i);  // WLEDMM fix potential string overflow
+        uint8_t l = strlen(pO); if ((l-1) < sizeof(pO)) pO[l+1] = 0; // WLEDMM fix array-out-of-bounds write
         pO[l] = 'B'; if (!request->hasArg(pO)) break;
         pO[l] = 'B'; p.bottomStart = request->arg(pO).toInt();
         pO[l] = 'R'; p.rightStart  = request->arg(pO).toInt();
diff --git a/wled00/xml.cpp b/wled00/xml.cpp
index fa028b78..42ba8a51 100644
--- a/wled00/xml.cpp
+++ b/wled00/xml.cpp
@@ -781,8 +781,8 @@ void getSettingsJS(byte subPage, char* dest)
         oappend(SET_F("addPanel("));
         oappend(itoa(i,n,10));
         oappend(SET_F(");"));
-        char pO[8]; sprintf_P(pO, PSTR("P%d"), i);
-        uint8_t l = strlen(pO); pO[l+1] = 0;
+        char pO[8] = {'\0'}; snprintf_P(pO, 8, PSTR("P%d"), i);  // WLEDMM fix potential string overflow
+        uint8_t l = strlen(pO); if ((l-1) < sizeof(pO)) pO[l+1] = 0; // WLEDMM fix array-out-of-bounds write
         pO[l] = 'B'; sappend('v',pO,strip.panel[i].bottomStart);
         pO[l] = 'R'; sappend('v',pO,strip.panel[i].rightStart);
         pO[l] = 'V'; sappend('v',pO,strip.panel[i].vertical);