--- ftpd.c.orig	Sat Jun 10 21:00:52 2000
+++ ftpd.c	Wed Apr 11 02:28:52 2001
@@ -1248,7 +1248,7 @@
 	} else {
 		char line[FTP_BUFSIZ];
 
-		(void) sprintf(line, cmd, name), name = line;
+		(void) snprintf(line, sizeof(line), cmd, name), name = line;
 		fin = ftpd_popen(line, "r"), closefunc = ftpd_pclose;
 		st.st_size = -1;
 #ifndef NOSTBLKSIZE
@@ -1499,7 +1503,7 @@
 	va_list ap;
 
 	va_start(ap, fmt);
-	vsprintf(buf, fmt, ap);
+	vsnprintf(buf, sizeof(buf), fmt, ap);
 	va_end(ap);
 #else
 	sprintf(buf, fmt, p1, p2, p3, p4, p5);
@@ -1688,7 +1692,7 @@
 	int c;
 	char str[FTP_BUFSIZ], *p;
 
-	(void) sprintf(line, "/bin/ls -lgA %s", filename);
+	(void) snprintf(line, sizeof(line), "/bin/ls -lgA %s", filename);
 	fin = ftpd_popen(line, "r");
 	lreply(211, "status of %s:", filename);
 	p = str;
@@ -1806,10 +1810,10 @@
 	va_list ap;
 
 	va_start(ap, fmt);
-	vsprintf(buf, fmt, ap);
+	vsnprintf(buf, sizeof(buf), fmt, ap);
 	va_end(ap);
 #else
-	sprintf(buf, fmt, p0, p1, p2, p3, p4, p5);
+	snprintf(buf, sizeof(buf), fmt, p0, p1, p2, p3, p4, p5);
 #endif
 
 	if (auth_type) {
@@ -1905,7 +1909,7 @@
 	va_list ap;
 
 	va_start(ap, fmt);
-	vsprintf(buf, fmt, ap);
+	vsnprintf(buf, sizeof(buf), fmt, ap);
 	va_end(ap);
 #else
 	sprintf(buf, fmt, p0, p1, p2, p3, p4, p5);
@@ -2185,6 +2189,7 @@
 	struct stat st;
 	char *cp = strrchr(local, '/');
 	int count = 0;
+	int cplen;
 
 	if (cp)
 		*cp = '\0';
@@ -2194,11 +2199,12 @@
 	}
 	if (cp)
 		*cp = '/';
-	(void) strcpy(new, local);
+	(void) strncpy(new, local, sizeof(new) - 1);
 	cp = new + strlen(new);
+	cplen = sizeof(new) - strlen(new) - 2;
 	*cp++ = '.';
 	for (count = 1; count < 100; count++) {
-		(void) sprintf(cp, "%d", count);
+		(void) snprintf(cp, cplen, "%d", count);
 		if (stat(new, &st) < 0)
 			return(new);
 	}
@@ -2544,7 +2550,7 @@
         va_start(ap, fmt);
         if (dlevel == PROT_C) rval = vfprintf(stream, fmt, ap);
         else {
-                vsprintf(s, fmt, ap);
+                vsnprintf(s, sizeof(s), fmt, ap);
                 rval = secure_write(fileno(stream), s, strlen(s));
         }
         va_end(ap);
@@ -2644,7 +2650,7 @@
 			    dir->d_name[2] == '\0')
 				continue;
 
-			sprintf(nbuf, "%s/%s", dirname, dir->d_name);
+			snprintf(nbuf, sizeof(nbuf), "%s/%s", dirname, dir->d_name);
 
 			/*
 			 * We have to do a stat to insure it's