--- dcraw.c.orig	Tue Apr 29 14:22:52 2008
+++ dcraw.c	Sun Jun  1 03:10:50 2008
@@ -1253,8 +1253,8 @@ void CLASS nikon_3700()
   bits = (dp[8] & 3) << 4 | (dp[20] & 3);
   for (i=0; i < sizeof table / sizeof *table; i++)
     if (bits == table[i].bits) {
-      strcpy (make,  table[i].make );
-      strcpy (model, table[i].model);
+      strlcpy (make,  table[i].make,  sizeof make);
+      strlcpy (model, table[i].model, sizeof model);
     }
 }
 
@@ -3030,7 +3030,7 @@ void CLASS foveon_interpolate()
     FORC3 diag[c][i] = LAST(1,1)*LAST(2,2) - LAST(1,2)*LAST(2,1);
   #undef LAST
   FORC3 div[c] = diag[c][0]*0.3127 + diag[c][1]*0.329 + diag[c][2]*0.3583;
-  sprintf (str, "%sRGBNeutral", model2);
+  snprintf (str, sizeof str, "%sRGBNeutral", model2);
   if (foveon_camf_param ("IncludeBlocks", str))
     foveon_fixed (div, 3, str);
   num = 0;
@@ -3397,9 +3397,9 @@ void CLASS bad_pixels (char *fname)
       if (*cp == '\\') *cp = '/';
 #endif
     cp = fname + strlen(fname);
-    if (cp[-1] == '/') cp--;
+    if (cp[-1] == '/') cp--, *cp = '\0';
     while (*fname == '/') {
-      strcpy (cp, "/.badpixels");
+      strlcat (fname, "/.badpixels", len);
       if ((fp = fopen (fname, "r"))) break;
       if (cp == fname) break;
       while (*--cp != '/');
@@ -4798,7 +4798,7 @@ void CLASS parse_mos (int offset)
     if (!strcmp(data,"ShootObj_back_type")) {
       fscanf (ifp, "%d", &i);
       if ((unsigned) i < sizeof mod / sizeof (*mod))
-	strcpy (model, mod[i]);
+	strlcpy (model, mod[i], sizeof model);
     }
     if (!strcmp(data,"icc_camera_to_tone_matrix")) {
       for (i=0; i < 9; i++)
@@ -5130,7 +5130,7 @@ int CLASS parse_tiff_ifd (int base)
 	  if (flip % 180 == 90) SWAP(width,height);
 	  filters = flip = 0;
 	}
-	sprintf (model, "Ixpress %d-Mp", height*width/1000000);
+	snprintf (model, sizeof model, "Ixpress %d-Mp", height*width/1000000);
 	load_raw = &CLASS imacon_full_load_raw;
 	if (filters) {
 	  if (left_margin & 1) filters = 0x61616161;
@@ -5438,6 +5438,7 @@ void CLASS parse_external_jpeg()
 {
   char *file, *ext, *jname, *jfile, *jext;
   FILE *save=ifp;
+  size_t ifsize;
 
   ext  = strrchr (ifname, '.');
   file = strrchr (ifname, '/');
@@ -5445,13 +5446,15 @@ void CLASS parse_external_jpeg()
   if (!file) file = ifname-1;
   file++;
   if (!ext || strlen(ext) != 4 || ext-file != 8) return;
-  jname = (char *) malloc (strlen(ifname) + 1);
+  ifsize = strlen(ifname) + 1;
+  jname = (char *) malloc (ifsize);
   merror (jname, "parse_external()");
-  strcpy (jname, ifname);
+  strlcpy (jname, ifname, ifsize);
   jfile = file - ifname + jname;
   jext  = ext  - ifname + jname;
   if (strcasecmp (ext, ".jpg")) {
-    strcpy (jext, isupper(ext[1]) ? ".JPG":".jpg");
+    *jext = '\0';
+    strlcat(ifname, isupper(ext[1]) ? ".JPG":".jpg", ifsize);
     memcpy (jfile, file+4, 4);
     memcpy (jfile+4, file, 4);
   } else
@@ -5668,7 +5671,7 @@ void CLASS parse_sinar_ia()
   fread (make, 64, 1, ifp);
   make[63] = 0;
   if ((cp = strchr(make,' '))) {
-    strcpy (model, cp+1);
+    strlcpy (model, cp+1, sizeof model);
     *cp = 0;
   }
   raw_width  = get2();
@@ -5846,7 +5849,7 @@ void CLASS parse_smal (int offset, int fsize)
   raw_height = height = get2();
   raw_width  = width  = get2();
   strcpy (make, "SMaL");
-  sprintf (model, "v%d %dx%d", ver, width, height);
+  snprintf (model, sizeof model, "v%d %dx%d", ver, width, height);
   if (ver == 6) load_raw = &CLASS smal_v6_load_raw;
   if (ver == 9) load_raw = &CLASS smal_v9_load_raw;
 }
@@ -5874,7 +5877,7 @@ void CLASS parse_cine()
   }
   fseek (ifp, off_setup+792, SEEK_SET);
   strcpy (make, "CINE");
-  sprintf (model, "%d", get4());
+  snprintf (model, sizeof model, "%d", get4());
   fseek (ifp, 12, SEEK_CUR);
   switch ((i=get4()) & 0xffffff) {
     case  3:  filters = 0x94949494;  break;
@@ -5973,11 +5976,11 @@ void CLASS parse_foveon()
 	  if (!strcmp (name, "ISO"))
 	    iso_speed = atoi(value);
 	  if (!strcmp (name, "CAMMANUF"))
-	    strcpy (make, value);
+	    strlcpy (make, value, sizeof make);
 	  if (!strcmp (name, "CAMMODEL"))
-	    strcpy (model, value);
+	    strlcpy (model, value, sizeof model);
 	  if (!strcmp (name, "WB_DESC"))
-	    strcpy (model2, value);
+	    strlcpy (model2, value, sizeof model2);
 	  if (!strcmp (name, "TIME"))
 	    timestamp = atoi(value);
 	  if (!strcmp (name, "EXPTIME"))
@@ -6396,7 +6399,7 @@ void CLASS adobe_coeff (char *make, char *model)
   char name[130];
   int i, j;
 
-  sprintf (name, "%s %s", make, model);
+  snprintf (name, sizeof name, "%s %s", make, model);
   for (i=0; i < sizeof table / sizeof *table; i++)
     if (!strncmp (name, table[i].prefix, strlen(table[i].prefix))) {
       if (table[i].black)   black   = (ushort) table[i].black;
@@ -6634,8 +6637,8 @@ void CLASS identify()
   else
     for (i=0; i < sizeof table / sizeof *table; i++)
       if (fsize == table[i].fsize) {
-	strcpy (make,  table[i].make );
-	strcpy (model, table[i].model);
+	strlcpy (make,  table[i].make, sizeof make);
+	strlcpy (model, table[i].model, sizeof model);
 	if (table[i].withjpeg)
 	  parse_external_jpeg();
       }
@@ -6644,7 +6647,7 @@ void CLASS identify()
 
   for (i=0; i < sizeof corp / sizeof *corp; i++)
     if (strstr (make, corp[i]))		/* Simplify company names */
-	strcpy (make, corp[i]);
+	strlcpy (make, corp[i], sizeof make);
   if (!strncmp (make,"KODAK",5))
     make[16] = model[16] = 0;
   cp = make + strlen(make);		/* Remove trailing spaces */
@@ -7035,7 +7038,7 @@ cp_e2500:
     load_raw = &CLASS unpacked_load_raw;
   } else if (!strcmp(make,"FUJIFILM")) {
     if (!strcmp(model+7,"S2Pro")) {
-      strcpy (model+7," S2Pro");
+      strcpy (model + 7, " S2Pro");
       height = 2144;
       width  = 2880;
       flip = 6;
@@ -7077,7 +7080,7 @@ cp_e2500:
     } else if (!strncmp(model,"ALPHA",5) ||
 	       !strncmp(model,"DYNAX",5) ||
 	       !strncmp(model,"MAXXUM",6)) {
-      sprintf (model+20, "DYNAX %-10s", model+6+(model[0]=='M'));
+      snprintf (model+20, sizeof model - 20, "DYNAX %-10s", model+6+(model[0]=='M'));
       adobe_coeff (make, model+20);
       load_raw = &CLASS packed_12_load_raw;
     } else if (!strncmp(model,"DiMAGE G",8)) {
@@ -7618,7 +7621,7 @@ qt_common:
     pre_mul[2] = 1.504;
   }
   if (!model[0])
-    sprintf (model, "%dx%d", width, height);
+    snprintf (model, sizeof model,  "%dx%d", width, height);
   if (filters == UINT_MAX) filters = 0x94949494;
   if (raw_color) adobe_coeff (make, model);
   if (thumb_offset && !thumb_height) {
@@ -7782,8 +7785,8 @@ void CLASS convert_to_rgb()
       }
     for (i=0; i < phead[0]/4; i++)
       oprof[i] = htonl(oprof[i]);
-    strcpy ((char *)oprof+pbody[2]+8, "auto-generated by dcraw");
-    strcpy ((char *)oprof+pbody[5]+12, name[output_color-1]);
+    strlcpy ((char *)oprof+pbody[2]+8, "auto-generated by dcraw", sizeof oprof-pbody[2]-8);
+    strlcpy ((char *)oprof+pbody[5]+12, name[output_color-1], sizeof oprof-pbody[5]-12);
     for (i=0; i < 3; i++)
       for (j=0; j < colors; j++)
 	for (out_cam[i][j] = k=0; k < 3; k++)
@@ -8033,7 +8036,7 @@ void CLASS tiff_head (struct tiff_hdr *th, int full)
   strncpy (th->model, model, 64);
   strcpy (th->soft, "dcraw v"VERSION);
   t = gmtime (&timestamp);
-  sprintf (th->date, "%04d:%02d:%02d %02d:%02d:%02d",
+  snprintf (th->date, sizeof th->date, "%04d:%02d:%02d %02d:%02d:%02d",
       t->tm_year+1900,t->tm_mon+1,t->tm_mday,t->tm_hour,t->tm_min,t->tm_sec);
   strncpy (th->artist, artist, 64);
 }
@@ -8111,6 +8114,7 @@ int CLASS main (int argc, char **argv)
   char opm, opt, *ofname, *sp, *cp, *bpfile=0, *dark_frame=0;
   const char *write_ext;
   struct utimbuf ut;
+  size_t ofsize;
   FILE *ofp;
 #ifndef NO_LCMS
   char *cam_profile=0, *out_profile=0;
@@ -8432,19 +8436,20 @@ thumbnail:
       write_ext = ".tiff";
     else
       write_ext = ".pgm\0.ppm\0.ppm\0.pam" + colors*5-5;
-    ofname = (char *) malloc (strlen(ifname) + 64);
+    ofsize = strlen(ifname) + 64;
+    ofname = (char *) malloc (ofsize);
     merror (ofname, "main()");
     if (write_to_stdout)
       strcpy (ofname,_("standard output"));
     else {
-      strcpy (ofname, ifname);
+      strlcpy (ofname, ifname, ofsize);
       if ((cp = strrchr (ofname, '.'))) *cp = 0;
       if (multi_out)
-	sprintf (ofname+strlen(ofname), "_%0*d",
+	snprintf (ofname+strlen(ofname), ofsize-strlen(ofname), "_%0*d",
 		snprintf(0,0,"%d",is_raw-1), shot_select);
       if (thumbnail_only)
-	strcat (ofname, ".thumb");
-      strcat (ofname, write_ext);
+	strlcat (ofname, ".thumb", ofsize);
+      strlcat (ofname, write_ext, ofsize);
       ofp = fopen (ofname, "wb");
       if (!ofp) {
 	status = 1;
