This is a patch file for  Subversion releases of "tuxmath" dated circa
mid-2007.

These  changes fix a memory-corruption  problem.  The fix  hasn't been
tested exhaustively, but it seems to work.

Note: This file should be compatible with all distros that support the
original program.

--- tuxmath.old/trunk/src/titlescreen.c
+++ tuxmath/trunk/src/titlescreen.c
@@ -1403,29 +1403,27 @@
       continue;
     }
 
-    /* FIXME I think the following could overflow: */
-    fscanf(tempFile, "%[^\n]\n", name_buf);
+    i = 0;
 
-    /* check to see if it has a \r at the end of it (dos format!) */
-    length = strlen(name_buf);
-    if (name_buf[length - 1] == '\r')
+    while (1)
     {
-      name_buf[length - 1] = '\0';
-    }
+        int c = getc (tempFile);
 
-    /* Go past leading '#', ';', or whitespace: */
-    /* NOTE getting i to the correct value on exit is the main goal of the loop */
-    for (  i = 0;
-           ((name_buf[i] == '#') ||
-           (name_buf[i] == ';') ||
-           isspace(name_buf[i])) &&
-           (i < 200);
-           i++  )
-    {
-      length--;
+        if (i == 0)
+        {
+            if ((c == ' ') || (c == 011)) continue;
+            if ((c == '#') || (c == ';')) continue;
+        }
+
+        if ((c == 012) || (c == 014) || (c == 015)) break;
+        if ((i > 50) || (c == EOF)) break;
+        if (c < ' ') c = ' ';
+        name_buf [i++] = (unsigned char) c;
     }
-    /* Now copy the rest of the first line into the list: */
-    memmove(&lesson_names[lessons], &name_buf[i], length); 
+
+    name_buf [i] = '\0';
+    if (i == 0) strcpy (name_buf, "???");
+    strcpy (&lesson_names[lessons], name_buf);
     lessons++;
     fclose(tempFile);
   } while (1);        // Loop will end when 'break' encountered