$OpenBSD: patch-src_util_c,v 1.3 2005/08/23 21:26:27 pvalchev Exp $
--- src/util.c.orig	Mon Nov  8 02:21:54 2004
+++ src/util.c	Tue Aug 23 13:58:40 2005
@@ -229,12 +229,22 @@ char *util_get_path_from_normalised_uri(
     char *fullpath;
     char *webroot;
     ice_config_t *config = config_get_config();
+    size_t pathlen;
 
     webroot = config->webroot_dir;
 
-    fullpath = malloc(strlen(uri) + strlen(webroot) + 1);
-    if (fullpath)
-        sprintf (fullpath, "%s%s", webroot, uri);
+    pathlen = strlen(uri) + strlen(webroot) + 1;
+    fullpath = malloc(pathlen);
+    if (fullpath) {
+        int ret = snprintf(fullpath, pathlen, "%s%s", webroot, uri);
+        if (ret == -1 || ret >= pathlen) {
+            WARN0("Error generating full path name in util_get_path_from_normalised_uri()");
+            free(fullpath);
+            fullpath = NULL;
+        }
+    } else
+        WARN0("Failed to allocate memory for full path name");
+
     config_release_config();
 
     return fullpath;
@@ -568,24 +578,40 @@ char *util_dict_urlencode(util_dict *dic
     char *res, *tmp;
     char *enc;
     int start = 1;
+    size_t buflen;
 
     for (res = NULL; dict; dict = dict->next) {
         /* encode key */
         if (!dict->key)
             continue;
         if (start) {
-            if (!(res = malloc(strlen(dict->key) + 1))) {
+            int ret;
+            buflen = strlen(dict->key) + 1;
+            if (!(res = malloc(buflen))) {
                 return NULL;
             }
-            sprintf(res, "%s", dict->key);
+            ret = snprintf(res, buflen, "%s", dict->key);
+            if (ret == -1 || ret >= buflen) {
+                free(res);
+                return NULL;
+            }
             start = 0;
         } else {
-            if (!(tmp = realloc(res, strlen(res) + strlen(dict->key) + 2))) {
+            buflen = strlen(res) + strlen(dict->key) + 2;
+            if ((tmp = realloc(res, buflen)) == NULL) {
                 free(res);
                 return NULL;
-            } else
+            } else {
+                int ret;
+
                 res = tmp;
-            sprintf(res + strlen(res), "%c%s", delim, dict->key);
+                ret = snprintf(res + strlen(res), buflen - strlen(res),
+                    "%c%s", delim, dict->key);
+                if (ret == -1 || ret >= buflen - strlen(res)) {
+                    free(res);
+                    return NULL;
+                }
+            }
         }
 
         /* encode value */
@@ -596,14 +622,25 @@ char *util_dict_urlencode(util_dict *dic
             return NULL;
         }
 
-        if (!(tmp = realloc(res, strlen(res) + strlen(enc) + 2))) {
+        buflen = strlen(res) + strlen(enc) + 2;
+        if ((tmp = realloc(res, buflen)) == NULL) {
             free(enc);
             free(res);
             return NULL;
-        } else
+        } else {
+            int ret;
+            size_t reslen;
             res = tmp;
-        sprintf(res + strlen(res), "=%s", enc);
-        free(enc);
+            reslen = strlen(res);
+            ret = snprintf(res + reslen, buflen - reslen, "=%s", enc);
+            if (ret == -1 || ret >= buflen - reslen) {
+                free(enc);
+                free(res);
+                return NULL;
+            }
+            free(enc);
+            enc = NULL;
+        }
     }
 
     return res;
