$OpenBSD: patch-src_util_c,v 1.2 2005/08/22 23:25:39 pvalchev Exp $
--- src/util.c.orig	Sun Mar 21 05:03:34 2004
+++ src/util.c	Fri Aug 19 21:04:04 2005
@@ -254,6 +254,7 @@ char *_shout_util_dict_urlencode(util_di
 	char *res, *tmp;
 	char *enc;
 	int start = 1;
+	size_t buflen;
 
 	for (res = NULL; dict; dict = dict->next) {
 		/* encode key */
@@ -265,21 +266,39 @@ char *_shout_util_dict_urlencode(util_di
 			return NULL;
 		}
 		if (start) {
-			if (!(res = malloc(strlen(enc) + 1))) {
+			int ret;
+
+			buflen = strlen(enc) + 1;
+			if ((res = malloc(buflen)) == NULL) {
 				free(enc);
 				return NULL;
 			}
-			sprintf(res, "%s", enc);
+			ret = snprintf(res, buflen, "%s", enc);
+			if (ret == -1 || ret >= buflen) {
+				free(enc);
+				free(res);
+				return NULL;
+			}
 			free(enc);
 			start = 0;
 		} else {
-			if (!(tmp = realloc(res, strlen(res) + strlen(enc) + 2))) {
+			buflen = strlen(res) + strlen(enc) + 2;
+			if ((tmp = realloc(res, buflen)) == NULL) {
 				free(enc);
 				free(res);
 				return NULL;
-			} else
+			} else {
+				int ret;
+
 				res = tmp;
-			sprintf(res + strlen(res), "%c%s", delim, enc);
+				ret = snprintf(res + strlen(res), buflen - strlen(res),
+					       "%c%s", delim, enc);
+				if (ret == -1 || ret >= buflen - strlen(res)) {
+					free(enc);
+					free(res);
+					return NULL;
+				}
+			}
 			free(enc);
 		}
 
@@ -291,14 +310,25 @@ char *_shout_util_dict_urlencode(util_di
 			return NULL;
 		}
 
-		if (!(tmp = realloc(res, strlen(res) + strlen(enc) + 2))) {
+		buflen = strlen(res) + strlen(enc) + 2;
+		if ((tmp = realloc(res, buflen)) == NULL) {
 			free(enc);
 			free(res);
 			return NULL;
-		} else
+		} else {
+			int ret;
+			size_t reslen;
 			res = tmp;
-		sprintf(res + strlen(res), "=%s", enc);
-		free(enc);
+			reslen = strlen(res);
+			ret = snprintf(res + reslen, buflen - reslen, "=%s", enc);
+			if (ret == -1 || ret >= buflen - reslen) {
+				free(enc);
+				free(res);
+				return NULL;
+			}
+			free(enc);
+			enc = NULL;
+		}
 	}
 
 	return res;
