Description: a couple of sprintf format errors
 You can do whatever you want by naming a file %something; it'd also crash
 on any file name above 255 characters even without malice.

--- dav-text-0.8.5.orig/fileIO.c
+++ dav-text-0.8.5/fileIO.c
@@ -92,7 +92,7 @@ char *doSave(char *filename) {
         n++;
         choices = realloc(choices, n*sizeof(char *));
         choices[n-1] = malloc(256);
-        sprintf(choices[n-1], d->d_name);
+        snprintf(choices[n-1], 256, "%s", d->d_name);
       }
       closedir(dir);
       
@@ -178,7 +178,7 @@ void load(char *filename)
       n++;
       choices = realloc(choices, n*sizeof(char *));
       choices[n-1] = malloc(256);
-      sprintf(choices[n-1], d->d_name);
+      snprintf(choices[n-1], 256, "%s", d->d_name);
     }
     closedir(dir);
     
