From f78edc43dcab1cbc67c6c6cf6ebe405dd54c92a0 Mon Sep 17 00:00:00 2001
From: Frank <91616163+softhack007@users.noreply.github.com>
Date: Sat, 25 Oct 2025 16:52:42 +0200
Subject: [PATCH] bugfix for #272 (only affects rotary usermod)

Refactor name copying logic to avoid use-after-free issue.
---
 wled00/util.cpp | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/wled00/util.cpp b/wled00/util.cpp
index c31b20b6..a913feed 100644
--- a/wled00/util.cpp
+++ b/wled00/util.cpp
@@ -340,10 +340,14 @@ uint8_t extractModeSlider(uint8_t mode, uint8_t slider, char *dest, uint8_t maxL
                 strncpy_P(dest, tmpstr, maxLen); // copy the name into buffer (replacing previous)
                 dest[maxLen-1] = '\0';
               } else {
-                if (nameEnd<0) tmpstr = names.substring(nameBegin).c_str(); // did not find ",", last name?
-                else           tmpstr = names.substring(nameBegin, nameEnd).c_str();
-                strlcpy(dest, tmpstr, maxLen); // copy the name into buffer (replacing previous)
-              }
+                // WLEDMM bugfix for WLED-MM #272
+                // names.substring(...).c_str() returns a pointer to a temporary; it’s invalid by the next statement. Added result buffer "sub" to avoid use-after-free
+                //   if (nameEnd<0) tmpstr = names.substring(nameBegin).c_str(); // did not find ",", last name?
+                //   else           tmpstr = names.substring(nameBegin, nameEnd).c_str();
+                // strlcpy(dest, tmpstr, maxLen); // copy the name into buffer (replacing previous)
+                String sub = (nameEnd<0) ? names.substring(nameBegin) : names.substring(nameBegin, nameEnd);
+                strlcpy(dest, sub.c_str(), maxLen); // copy the name into buffer (replacing previous)
+			  }
             }
             nameBegin = nameEnd+1; // next name (if "," is not found it will be 0)
           } // next slider