--- cattach.c.orig	Fri Dec 19 01:32:57 1997
+++ cattach.c	Sun Mar 13 14:05:19 2005
@@ -100,6 +100,7 @@
 	char *dirarg=NULL;
 	char *namearg=NULL;
 	int keycheck=1;
+	int l;
 
 	ap.highsec=1;
 	while (--argc) if (**++argv == '-') {
@@ -164,17 +165,35 @@
 			fprintf(stderr,"Can't stat current directory\n");
 			exit(1);
 		}
-		sprintf(dir,"%s/%s",buf,dirarg);
-	} else
-		strcpy(dir,dirarg);
-	sprintf(lname,"%s/..data",dir,1024);
-	sprintf(kname,"%s/..k",dir,1024);
+		l = snprintf(dir, sizeof(dir), "%s/%s", buf, dirarg);
+		if (l < 0 || l >= sizeof(dir)) {
+			fprintf(stderr, "File name too long\n");
+			exit(1);
+		}
+	} else {
+		if (strlcpy(dir, dirarg, sizeof(dir)) >= sizeof(dir)) {
+			fprintf(stderr, "File name too long\n");
+			exit(1);
+		}
+	}
+	l = snprintf(lname, sizeof(lname), "%s/..data", dir);
+	if (l < 0 || l >= sizeof(lname)) {
+	  fprintf(stderr, "File name too long\n");
+	  exit(1);
+	}
+	(void)snprintf(kname, sizeof(kname), "%s/..k", dir);
 	if (chdir(lname) >= 0)
 		strcpy(dir,lname);
 	else if (chdir(dir)<0) {
 		perror(dirarg);
 		exit(1);
 	}
+ 	l = snprintf(cname, sizeof(cname), "%s/..c", dir);
+	if (l < 0 || l >= sizeof(cname)) {
+	  fprintf(stderr, "File name too long\n");
+	  exit(1);
+	}
+	(void)snprintf(sname, sizeof(sname), "%s/..s", dir);
 #ifdef irix
 /* or (I hope) more or less any system with the 4 parameter statfs */
     if ((statfs(".",&sfb,sizeof sfb,0)<0) || (sfb.f_blocks==0)) {
@@ -188,7 +207,10 @@
 	}
 #endif
 	ap.dirname=dir;
-	strcpy(ins,namearg);
+	if (strlcpy(ins, namearg, sizeof(ins)) >= sizeof(ins)) {
+		fprintf(stderr, "Name too long\n");
+		exit(1);
+	}
 	*namearg='\0'; /* weak attempt to hide .instance in ps output */
 	ap.name=ins;
 	if (keycheck) {
@@ -207,8 +229,6 @@
 		if ((n>0) && (pw[n-1] == '\n'))
 			pw[n-1] = '\0';
 	}
- 	sprintf(cname,"%s/..c",dir);
-	sprintf(sname,"%s/..s",dir);
 	if ((fp=fopen(cname,"r")) == NULL) {
 		ciph=CFS_STD_DES;
 	} else {
@@ -237,7 +257,7 @@
 	ap.expire = timeout;
 	ap.key.cipher=ciph;
 	if (smsize != LARGESMSIZE)
-		sprintf(pw,"%s%d",pw,smsize);
+		(void)snprintf(pw, 256, "%s%d", pw, smsize);
 
 	if (cfmt) {
 		if (new_pwcrunch(pw,&ap.key)!=0) {
