--- nmh-0.27/h/prototypes.h.security	Mon Jun 29 00:07:25 1998
+++ nmh-0.27/h/prototypes.h	Sat Jul 18 14:04:47 1998
@@ -44,6 +44,7 @@
 void context_save (void);
 char *copy (char *, char *);
 char **copyip (char **, char **);
+char **copyip_n (char **, char **, int);
 void cpydata (int, int, char *, char *);
 void cpydgst (int, int, char *, char *);
 int decode_rfc2047 (char *, char *);
--- nmh-0.27/sbr/copyip.c.security	Sun Jan  4 12:07:01 1998
+++ nmh-0.27/sbr/copyip.c	Sat Jul 18 14:04:47 1998
@@ -17,3 +17,11 @@
 
     return q;
 }
+
+char **copyip_n(char **p, char **q, int n)
+{
+	while(*p && --n)
+		*q++=*p++;
+	*q=NULL;
+	return q;
+}
--- nmh-0.27/sbr/fmt_scan.c.security	Thu May 21 03:31:13 1998
+++ nmh-0.27/sbr/fmt_scan.c	Sat Jul 18 14:04:47 1998
@@ -237,9 +237,9 @@
 	return NULL;
 
     if (get_x400_comp (mbox, "/G=", given))
-	sprintf (buffer, "%s %s", given, surname);
+	snprintf (buffer,  BUFSIZ, "%s %s", given, surname);
     else
-	strcpy (buffer, surname);
+	snprintf (buffer, BUFSIZ, "%s", surname);
 
     return buffer;
 }
@@ -254,7 +254,7 @@
 	    || !(cp = strchr(mbox += idx + strlen (key), '/')))
 	return 0;
 
-    sprintf (buffer, "%*.*s", cp - mbox, cp - mbox, mbox);
+    snprintf (buffer, BUFSIZ,  "%*.*s", cp - mbox, cp - mbox, mbox);
     return 1;
 }
 
@@ -446,7 +446,7 @@
 	    if (str) {
 		    char *xp;
 
-		    strcpy(buffer, str);
+		    strncpy(buffer, str, BUFSIZ);
 		    str = buffer;
 		    while (isspace(*str))
 			    str++;
@@ -631,7 +631,7 @@
 		goto unfriendly;
 	    if ((str = mn->m_pers) == NULL)
 	        if ((str = mn->m_note)) {
-	            strcpy (buffer, str);
+	            strncpy (buffer, str, BUFSIZ);
 	            str = buffer;
 	            if (*str == '(')
 	            	str++;
@@ -651,12 +651,12 @@
 			str = mn->m_mbox;
 			break;
 		    case UUCPHOST:
-			sprintf (buffer, "%s!%s", mn->m_host, mn->m_mbox);
+			snprintf (buffer, BUFSIZ, "%s!%s", mn->m_host, mn->m_mbox);
 			str = buffer;
 			break;
 		    default:
 			if (mn->m_mbox) {
-			    sprintf (buffer, "%s@%s", mn->m_mbox, mn->m_host);
+			    snprintf (buffer, BUFSIZ, "%s@%s", mn->m_mbox, mn->m_host);
 			    str= buffer;
 			}
 			else
--- nmh-0.27/sbr/folder_delmsgs.c.security	Sun Jan  4 12:46:47 1998
+++ nmh-0.27/sbr/folder_delmsgs.c	Sat Jul 18 14:04:47 1998
@@ -71,7 +71,7 @@
 	    dp = m_name (msgnum);
 	    if (rename_msgs) {
 		/* rename messages with standard prefix */
-		strcpy (buf, m_backup (dp));
+		strncpy (buf, m_backup (dp), sizeof(buf));
 		if (rename (dp, buf) == -1) {
 		    admonish (buf, "unable to rename %s to", dp);
 		    retval = -1;
--- nmh-0.27/sbr/folder_pack.c.security	Mon May 11 21:03:32 1998
+++ nmh-0.27/sbr/folder_pack.c	Sat Jul 18 14:04:47 1998
@@ -44,8 +44,8 @@
     for (msgnum = mp->lowmsg, hole = 1; msgnum <= mp->hghmsg; msgnum++) {
 	if (does_exist (mp, msgnum)) {
 	    if (msgnum != hole) {
-		strcpy (newmsg, m_name (hole));
-		strcpy (oldmsg, m_name (msgnum));
+		strncpy (newmsg, m_name (hole), BUFSIZ);
+		strncpy (oldmsg, m_name (msgnum), BUFSIZ);
 		if (verbose)
 		    printf ("message %s becomes %s\n", oldmsg, newmsg);
 
--- nmh-0.27/sbr/lock_file.c.security	Sun Jan  4 13:19:26 1998
+++ nmh-0.27/sbr/lock_file.c	Sat Jul 18 14:04:47 1998
@@ -380,7 +380,7 @@
 lockname (char *file, struct lockinfo *li, int isnewlock)
 {
     char *bp, *cp;
-
+    int blen=BUFSIZ;
 #if 0
     struct stat st;
 #endif
@@ -390,11 +390,11 @@
 	cp = file;
 
 #ifdef LOCKDIR
-    sprintf (bp, "%s/", lockdir);
+    blen -= snprintf (bp, BUFSIZ,  "%s/", lockdir);
     bp += strlen (bp);
 #else
     if (cp != file) {
-	sprintf (bp, "%.*s", cp - file, file);
+	blen -= snprintf (bp, BUFSIZ, "%.*s", cp - file, file);
 	bp += strlen (bp);
     }
 #endif
@@ -411,7 +411,7 @@
     sprintf (bp, "LCK%05d.%05d", st.st_dev, st.st_ino);
 #endif
 
-    sprintf (bp, "%s.lock", cp);
+    snprintf (bp, blen, "%s.lock", cp);
 
     /*
      * If this is for a new lock, create a name for
@@ -421,7 +421,7 @@
 	if ((cp = strrchr(li->curlock, '/')) == NULL || *++cp == 0)
 	    strcpy (li->tmplock, ",LCK.XXXXXX");
 	else
-	    sprintf (li->tmplock, "%.*s,LCK.XXXXXX",
+	    snprintf (li->tmplock, BUFSIZ,  "%.*s,LCK.XXXXXX",
 		     cp - li->curlock, li->curlock);
 	unlink (mktemp (li->tmplock));
     }
--- nmh-0.27/sbr/m_convert.c.security	Sat Jan 10 02:35:45 1998
+++ nmh-0.27/sbr/m_convert.c	Sat Jul 18 14:04:47 1998
@@ -263,7 +263,11 @@
 #else
     while ((*cp >= 'a' && *cp <= 'z') || *cp == '.')
 #endif /* LOCALE */
+    {
+        if(bp-buf>=sizeof(buf))
+        	break;
 	*bp++ = *cp++;
+    }
     *bp++ = '\0';
     delimp = cp;
 
--- nmh-0.27/sbr/m_draft.c.security	Sun Feb  8 17:33:01 1998
+++ nmh-0.27/sbr/m_draft.c	Sat Jul 18 14:04:47 1998
@@ -31,7 +31,7 @@
     *isdf = 1;
     
     chdir (m_maildir (""));
-    strcpy (buffer, m_maildir (folder));
+    strncpy (buffer, m_maildir (folder), BUFSIZ);
     if (stat (buffer, &st) == -1) {
 	if (errno != ENOENT)
 	    adios (buffer, "error on folder");
--- nmh-0.27/sbr/m_getfld.c.security	Mon May 25 15:54:17 1998
+++ nmh-0.27/sbr/m_getfld.c	Sat Jul 18 14:04:47 1998
@@ -538,7 +538,7 @@
 	    ;
 #else /* RPATHS */
 	cp = unixbuf;
-	while ((c = getc (iob)) != '\n')
+	while ((c = getc (iob)) != '\n' && cp-unixbuf < BUFSIZ-1)
 	    *cp++ = c;
 	*cp = 0;
 #endif /* RPATHS */
@@ -639,7 +639,7 @@
 		break;
 #else /* RPATHS */
 	cp = unixbuf;
-	while ((c = getc (iob)) != '\n' && c >= 0)
+	while ((c = getc (iob)) != '\n' && c >= 0 && cp-unixbuf < BUFSIZ-1)
 	    *cp++ = c;
 	*cp = 0;
 #endif /* RPATHS */
@@ -688,10 +688,10 @@
     if (cp) {
 	/* return path for UUCP style addressing */
 	dp = strchr (++cp, '\n');
-	sprintf (rp, "%.*s!%.*s\n", dp - cp, cp, bp - ap, ap);
+	snprintf (rp, BUFSIZ, "%.*s!%.*s\n", dp - cp, cp, bp - ap, ap);
     } else {
 	/* return path for standard domain addressing */
-	sprintf (rp, "%.*s\n", bp - ap, ap);
+	snprintf (rp, BUFSIZ,  "%.*s\n", bp - ap, ap);
     }
 
     /*
@@ -702,7 +702,7 @@
 	bp++;
 
     /* Now get delivery date from envelope */
-    sprintf (dd, "%.*s\n", 24, bp);
+    snprintf (dd, BUFSIZ, "%.*s\n", 24, bp);
 
     unixbuf[0] = 0;
     return 1;
--- nmh-0.27/sbr/m_maildir.c.security	Sun Dec 14 04:25:16 1997
+++ nmh-0.27/sbr/m_maildir.c	Sat Jul 18 14:04:47 1998
@@ -47,9 +47,9 @@
 	    && strcmp (folder, DOT)
 	    && strcmp (folder, DOTDOT)
 	    && strncmp (folder, PWD, NPWD)) {
-	strcpy (maildir, mailfold);		/* preserve... */
+	strncpy (maildir, mailfold, BUFSIZ);		/* preserve... */
 	cp = getcpy (m_maildir (folder));
-	strcpy (mailfold, maildir);
+	strncpy (mailfold, maildir, BUFSIZ);
     } else {
 	cp = path (folder, TFOLDER);
     }
@@ -72,14 +72,15 @@
 	    && strcmp (folder, DOT)
 	    && strcmp (folder, DOTDOT)
 	    && strncmp (folder, PWD, NPWD))) {
-	strcpy (mailfold, folder);
+	strncpy (mailfold, folder, sizeof(mailfold));
+	mailfold[sizeof(mailfold)-1]=0;
 	return mailfold;
     }
 
     cp = mailfold;
     if ((pp = context_find ("path")) && *pp) {
 	if (*pp != '/') {
-	    sprintf (cp, "%s/", mypath);
+	    snprintf (cp, BUFSIZ,  "%s/", mypath);
 	    cp += strlen (cp);
 	}
 	cp = copy (pp, cp);
@@ -88,7 +89,7 @@
 	cp = copy (path ("./", TFOLDER), cp);
     if (cp[-1] != '/')
 	*cp++ = '/';
-    strcpy (cp, folder);
+    strncpy (cp, folder, BUFSIZ-(cp-mailfold));
 
     return mailfold;
 }
--- nmh-0.27/sbr/m_name.c.security	Tue May 20 01:19:12 1997
+++ nmh-0.27/sbr/m_name.c	Sat Jul 18 14:04:47 1998
@@ -16,6 +16,6 @@
     if (num <= 0)
 	return "?";
 
-    sprintf (name, "%d", num);
+    snprintf (name, BUFSIZ,  "%d", num);
     return name;
 }
--- nmh-0.27/sbr/m_scratch.c.security	Sun Jan  4 17:15:18 1998
+++ nmh-0.27/sbr/m_scratch.c	Sat Jul 18 14:04:47 1998
@@ -14,12 +14,12 @@
     char *cp;
     static char buffer[BUFSIZ], tmpfil[BUFSIZ];
 
-    sprintf (tmpfil, "%sXXXXXX", template);
+    snprintf (tmpfil, BUFSIZ, "%sXXXXXX", template);
     mktemp (tmpfil);
     if ((cp = r1bindex (file, '/')) == file)
-	strcpy (buffer, tmpfil);
+	strncpy (buffer, tmpfil, BUFSIZ);
     else
-	sprintf (buffer, "%.*s%s", cp - file, file, tmpfil);
+	snprintf (buffer, BUFSIZ,  "%.*s%s", cp - file, file, tmpfil);
     unlink (buffer);
 
     return buffer;
--- nmh-0.27/sbr/m_tmpfil.c.security	Tue May 20 01:19:12 1997
+++ nmh-0.27/sbr/m_tmpfil.c	Sat Jul 18 14:04:47 1998
@@ -13,7 +13,7 @@
 {
     static char tmpfil[BUFSIZ];
 
-    sprintf(tmpfil, "/tmp/%sXXXXXX", template);
+    snprintf(tmpfil, BUFSIZ, "/tmp/%sXXXXXX", template);
     unlink(mktemp(tmpfil));
 
     return tmpfil;
--- nmh-0.27/sbr/makedir.c.security	Sun Jan  4 12:47:57 1998
+++ nmh-0.27/sbr/makedir.c	Sat Jul 18 14:04:47 1998
@@ -28,7 +28,7 @@
     fflush(stdout);
 
     if (getuid () == geteuid ()) {
-	    c = strcpy(path, dir);     
+	    c = strncpy(path, dir, PATH_MAX);     
 
 	    while ((c = strchr((c + 1), '/')) != NULL) {	
 		    *c = (char)0;
--- nmh-0.27/sbr/path.c.security	Sun Dec 14 04:27:26 1997
+++ nmh-0.27/sbr/path.c	Sat Jul 18 14:04:47 1998
@@ -44,10 +44,10 @@
     char buffer[BUFSIZ];
 
     if (flag == TSUBCWF) {
-	sprintf (buffer, "%s/%s", getfolder (1), name);
+	snprintf (buffer,  BUFSIZ, "%s/%s", getfolder (1), name);
 	name = m_mailpath (buffer);
 	compath (name);
-	sprintf (buffer, "%s/", m_maildir (""));
+	snprintf (buffer, BUFSIZ, "%s/", m_maildir (""));
 	if (ssequal (buffer, name)) {
 	    cp = name;
 	    name = getcpy (name + strlen (buffer));
@@ -81,7 +81,7 @@
 	name += NCWD;
 
     if (strcmp (name, DOTDOT) == 0 || strcmp (name, PWD) == 0) {
-	sprintf (buffer, "%.*s", cp - pwds, pwds);
+	snprintf (buffer, BUFSIZ, "%.*s", cp - pwds, pwds);
 	return getcpy (buffer);
     }
 
@@ -90,7 +90,7 @@
     else
 	cp = ep;
 
-    sprintf (buffer, "%.*s/%s", cp - pwds, pwds, name);
+    snprintf (buffer, BUFSIZ, "%.*s/%s", cp - pwds, pwds, name);
     return getcpy (buffer);
 }
 
--- nmh-0.27/sbr/seq_bits.c.security	Wed Nov 26 18:41:45 1997
+++ nmh-0.27/sbr/seq_bits.c	Sat Jul 18 14:04:47 1998
@@ -14,9 +14,9 @@
     int i;
     static char buffer[BUFSIZ];
 
-    strcpy (buffer, MBITS);
+    strncpy (buffer, MBITS, BUFSIZ);
     for (i = 0; mp->msgattrs[i]; i++)
-	sprintf (buffer + strlen (buffer), "%c%s",
+	snprintf (buffer + strlen (buffer), BUFSIZ-strlen(buffer), "%c%s",
 		FFATTRSLOT + 1 + i, mp->msgattrs[i]);
 
     return buffer;
--- nmh-0.27/zotnet/tws/dtime.c.security	Sun May 17 12:51:43 1998
+++ nmh-0.27/zotnet/tws/dtime.c	Sat Jul 18 16:42:50 1998
@@ -252,7 +252,7 @@
     if (!tw)
 	return NULL;
 
-    sprintf (buffer, "%.3s %.3s %02d %02d:%02d:%02d %.4d\n",
+    snprintf (buffer, 25, "%.3s %.3s %02d %02d:%02d:%02d %.4d\n",
 	    tw_dotw[tw->tw_wday], tw_moty[tw->tw_mon], tw->tw_mday,
 	    tw->tw_hour, tw->tw_min, tw->tw_sec,
 	    tw->tw_year < 100 ? tw->tw_year + 1900 : tw->tw_year);
@@ -326,20 +326,20 @@
     if ((tw->tw_flags & TW_SZONE) == TW_SZNIL)
 	result[0] = '\0';
     else
-	sprintf(result, " %s", dtimezone(tw->tw_zone, tw->tw_flags | flags));
+	snprintf(result, 80, " %s", dtimezone(tw->tw_zone, tw->tw_flags | flags));
 
-    sprintf(buffer, "%02d %s %0*d %02d:%02d:%02d%s",
+    snprintf(buffer, 80, "%02d %s %0*d %02d:%02d:%02d%s",
 	    tw->tw_mday, tw_moty[tw->tw_mon],
 	    tw->tw_year < 100 ? 2 : 4, tw->tw_year,
 	    tw->tw_hour, tw->tw_min, tw->tw_sec, result);
 
     if ((tw->tw_flags & TW_SDAY) == TW_SEXP)
-	sprintf (result, "%s, %s", tw_dotw[tw->tw_wday], buffer);
+	snprintf (result, 80, "%s, %s", tw_dotw[tw->tw_wday], buffer);
     else
 	if ((tw->tw_flags & TW_SDAY) == TW_SNIL)
 	    strcpy (result, buffer);
 	else
-	    sprintf (result, "%s (%s)", buffer, tw_dotw[tw->tw_wday]);
+	    snprintf (result, 80, "%s (%s)", buffer, tw_dotw[tw->tw_wday]);
 
     return result;
 }
@@ -379,7 +379,7 @@
     if (flags & TW_DST)
 	hours += 1;
 #endif /* defined(DSTXXX) */
-    sprintf (buffer, "%s%02d%02d", offset < 0 ? "-" : "+", abs (hours), abs (mins));
+    snprintf (buffer, 10, "%s%02d%02d", offset < 0 ? "-" : "+", abs (hours), abs (mins));
     return buffer;
 }
 
--- nmh-0.27/zotnet/mf/mf.c.security	Mon Jan 27 00:38:34 1997
+++ nmh-0.27/zotnet/mf/mf.c	Sat Jul 18 16:46:41 1998
@@ -425,9 +425,9 @@
     while (isspace (*ap))
 	ap++;
     if (cp)
-	sprintf (adr, "%.*s", cp - ap, ap);
+	snprintf (adr, BUFSIZ, "%.*s", cp - ap, ap);
     else
-	strcpy (adr, ap);
+	strncpy (adr, ap, BUFSIZ);
     bp = adr + strlen (adr) - 1;
     if (*bp == ',' || *bp == ';' || *bp == '\n')
 	*bp = 0;
@@ -484,7 +484,7 @@
 	    return OK;		/* why be choosy? */
 
 	default: 
-	    sprintf (err, "illegal address construct (%s)", buffer);
+	    snprintf (err, BUFSIZ, "illegal address construct (%s)", buffer);
 	    return NOTOK;
     }
 
@@ -503,13 +503,13 @@
 			return NOTOK;
 		    if (last_lex == LX_RBRK)
 			return OK;
-		    sprintf (err, "missing right-bracket (%s)", buffer);
+		    snprintf (err, BUFSIZ, "missing right-bracket (%s)", buffer);
 		    return NOTOK;
 
 		case LX_COLN: 
 	    get_group: ;
 		    if (glevel++ > 0) {
-			sprintf (err, "nested groups not allowed (%s)", pers);
+			snprintf (err, BUFSIZ, "nested groups not allowed (%s)", pers);
 			return NOTOK;
 		    }
 		    grp = add (": ", pers);
@@ -538,7 +538,7 @@
 		    goto more_phrase;
 
 		default: 
-		    sprintf (err, "no mailbox in address, only a phrase (%s%s)",
+		    snprintf (err, BUFSIZ, "no mailbox in address, only a phrase (%s%s)",
 			    pers, buffer);
 		    return NOTOK;
 	    }
@@ -574,7 +574,7 @@
 		    return OK;
 
 		default: 
-		    sprintf (err, "junk after local@domain (%s)", buffer);
+		    snprintf (err, BUFSIZ, "junk after local@domain (%s)", buffer);
 		    return NOTOK;
 	    }
 
@@ -591,7 +591,7 @@
 	    return OK;
 
 	default: 
-	    sprintf (err, "missing mailbox (%s)", buffer);
+	    snprintf (err, BUFSIZ, "missing mailbox (%s)", buffer);
 	    return NOTOK;
     }
 }
@@ -639,7 +639,7 @@
 	    return OK;
 
 	default: 
-	    sprintf (err, "no at-sign after local-part (%s)", buffer);
+	    snprintf (err, BUFSIZ, "no at-sign after local-part (%s)", buffer);
 	    return NOTOK;
     }
 }
@@ -658,7 +658,7 @@
 		break;
 
 	    default: 
-		sprintf (err, "no mailbox in local-part (%s)", buffer);
+		snprintf (err, BUFSIZ, "no mailbox in local-part (%s)", buffer);
 		return NOTOK;
 	}
 
@@ -685,7 +685,7 @@
 		break;
 
 	    default: 
-		sprintf (err, "no sub-domain in domain-part of address (%s)", buffer);
+		snprintf (err, BUFSIZ, "no sub-domain in domain-part of address (%s)", buffer);
 		return NOTOK;
 	}
 
@@ -720,7 +720,7 @@
 		break;
 
 	    default: 
-		sprintf (err, "no sub-domain in domain-part of address (%s)", buffer);
+		snprintf (err, BUFSIZ, "no sub-domain in domain-part of address (%s)", buffer);
 		return NOTOK;
 	}
 	switch (my_lex (buffer)) {
@@ -736,7 +736,7 @@
 			    break;
 
 			default: 
-			    sprintf (err, "no at-sign found for next domain in route (%s)",
+			    snprintf (err, BUFSIZ, "no at-sign found for next domain in route (%s)",
 			             buffer);
 		    }
 		    break;
@@ -753,7 +753,7 @@
 		return OK;
 
 	    default: 
-		sprintf (err, "no colon found to terminate route (%s)", buffer);
+		snprintf (err, BUFSIZ, "no colon found to terminate route (%s)", buffer);
 		return NOTOK;
 	}
     }
@@ -894,7 +894,7 @@
     for (cp = p; *cp; cp++)
 	for (i = 0; special[i].lx_chr; i++)
 	    if (*cp == special[i].lx_chr) {
-		sprintf (buffer, "\"%s\"", p);
+		snprintf (buffer, BUFSIZ, "\"%s\"", p);
 		return buffer;
 	    }
 
--- nmh-0.27/zotnet/bboards/getbbent.c.security	Sun Feb  2 05:04:22 1997
+++ nmh-0.27/zotnet/bboards/getbbent.c	Sat Jul 18 14:04:49 1998
@@ -100,7 +100,7 @@
     if (BBuid == -1)
 	return setbbinfo (BBOARDS, file, f);
 
-    strcpy (BBData, file);
+    strncpy (BBData, file, sizeof(BBData));
 
     BBflags = SB_NULL;
     endbbent ();
@@ -153,10 +153,10 @@
 static int
 setpwaux (struct passwd *pw, char *file)
 {
-    strcpy (BBName, pw->pw_name);
+    strncpy (BBName, pw->pw_name, sizeof(BBName));
     BBuid = pw->pw_uid;
-    strcpy (BBDir, pw->pw_dir);
-    sprintf (BBData, "%s/%s",
+    strncpy (BBDir, pw->pw_dir, sizeof(BBDir));
+    snprintf (BBData,sizeof(BBData), "%s/%s",
 	    *file != '/' ? BBDir : "",
 	    *file != '/' ? file : file + 1);
 
@@ -395,12 +395,12 @@
 
     if (*bb->bb_request == '-')
 	if (p == NULL && r && *r == '@')
-	    sprintf (BBRequest, "%s%s%s", bb->bb_name, bb->bb_request, r);
+	    snprintf (BBRequest, sizeof(BBRequest), "%s%s%s", bb->bb_name, bb->bb_request, r);
 	else
-	    sprintf (BBRequest, "%s%s", bb->bb_name, bb->bb_request);
+	    snprintf (BBRequest, sizeof(BBRequest), "%s%s", bb->bb_name, bb->bb_request);
     else
 	if (p == NULL && r && *r == '@' && *bb->bb_request)
-	    sprintf (BBRequest, "%s%s", bb->bb_request, r);
+	    snprintf (BBRequest, sizeof(BBRequest), "%s%s", bb->bb_request, r);
 
     if (BBRequest[0])
 	bb->bb_request = BBRequest;
@@ -410,7 +410,7 @@
 		: bb->bb_leader[0];
 
     if (*bb->bb_addr == '@') {
-	sprintf (BBAddr, "%s%s", bb->bb_name, bb->bb_addr);
+	snprintf (BBAddr, sizeof(BBAddr), "%s%s", bb->bb_name, bb->bb_addr);
 	bb->bb_addr = BBAddr;
     }
     else
@@ -420,22 +420,22 @@
     if (*bb->bb_file == 0)
 	return;
     if (*bb->bb_file != '/') {
-	sprintf (BBFile, "%s/%s", BBDir, bb->bb_file);
+	snprintf (BBFile, sizeof(BBFile), "%s/%s", BBDir, bb->bb_file);
 	bb->bb_file = BBFile;
     }
 
     if ((cp = strrchr(bb->bb_file, '/')) == NULL || *++cp == 0)
 	strcpy (prf, ""), cp = bb->bb_file;
     else
-	sprintf (prf, "%.*s", cp - bb->bb_file, bb->bb_file);
+	snprintf (prf, sizeof(prf),"%.*s", cp - bb->bb_file, bb->bb_file);
     if ((dp = strchr(cp, '.')) == NULL)
 	dp = cp + strlen (cp);
 
-    sprintf (BBArchive, "%s%s/%s", prf, ARCHIVE, cp);
+    snprintf (BBArchive, sizeof(BBArchive), "%s%s/%s", prf, ARCHIVE, cp);
     bb->bb_archive = BBArchive;
-    sprintf (BBInfo, "%s.%.*s%s", prf, dp - cp, cp, CNTFILE);
+    snprintf (BBInfo, sizeof(BBInfo), "%s.%.*s%s", prf, dp - cp, cp, CNTFILE);
     bb->bb_info = BBInfo;
-    sprintf (BBMap, "%s.%.*s%s", prf, dp - cp, cp, MAPFILE);
+    snprintf (BBMap, sizeof(BBMap), "%s.%.*s%s", prf, dp - cp, cp, MAPFILE);
     bb->bb_map = BBMap;
 
     if ((info = fopen (bb->bb_info, "r")) == NULL)
@@ -460,7 +460,7 @@
     register char *p, **q, **r;
     static uid_t uid = 0;
     static gid_t gid = 0;
-    static char username[10] = "";
+    static char username[16] = "";
     register struct passwd *pw;
     register struct group  *gr;
 
@@ -473,7 +473,7 @@
 	if ((pw = getpwuid (uid = getuid ())) == NULL)
 	    return 0;
 	gid = getgid ();
-	strcpy (username, pw->pw_name);
+	strncpy (username, pw->pw_name, sizeof(username));
     }
 
     if (uid == BBuid)
@@ -626,15 +626,15 @@
 		    if ((cp = strrchr(bb->bb_file, '/')) == NULL || *++cp == 0)
 			strcpy (prf, ""), cp = bb->bb_file;
 		    else
-			sprintf (prf, "%.*s", cp - bb->bb_file, bb->bb_file);
+			snprintf (prf, BUFSIZ, "%.*s", cp - bb->bb_file, bb->bb_file);
 		    if ((dp = strchr(cp, '.')) == NULL)
 			dp = cp + strlen (cp);
-		    sprintf (file, "%s.%.*s%s", prf, dp - cp, cp, DSTFILE);
+		    snprintf (file, BUFSIZ,  "%s.%.*s%s", prf, dp - cp, cp, DSTFILE);
 		    hp = file;
 		    break;
 
 		default: 
-		    sprintf (file, "%s/%s", BBDir, item);
+		    snprintf (file, BUFSIZ, "%s/%s", BBDir, item);
 		    hp = file;
 		    break;
 	    }
@@ -656,12 +656,12 @@
 	default: 
 	    if ((hp = strrchr(item, '@'))) {
 		*hp++ = 0;
-		strcpy (mbox, item);
-		strcpy (host, hp);
+		strncpy (mbox, item, sizeof(mbox));
+		strncpy (host, hp, sizeof(host));
 		*--hp = '@';
 	    }
 	    else {
-		sprintf (mbox, "%s%s", DISTADR, bb->bb_name);
+		snprintf (mbox, sizeof(mbox), "%s%s", DISTADR, bb->bb_name);
 		strcpy (host, item);
 	    }
 	    if ((result = (*action) (mbox, host)))
--- nmh-0.27/mts/smtp/hosts.c.security	Thu Jan 22 18:21:02 1998
+++ nmh-0.27/mts/smtp/hosts.c	Sat Jul 18 14:04:47 1998
@@ -39,7 +39,7 @@
     char **r;
     struct host *h;
 
-    for (p = name, q = site; *p; p++, q++)
+    for (p = name, q = site; *p; p++, q++ && q-site <BUFSIZ)
 	*q = isupper (*p) ? tolower (*p) : *p;
     *q = 0;
     q = site;
@@ -64,7 +64,7 @@
 		    if (!strcasecmp (*r, q))
 			return h->h_name;
 
-    strcpy (buffer, site);
+    strncpy (buffer, site, BUFSIZ);
     return buffer;
 }
 
--- nmh-0.27/mts/smtp/smtp.c.security	Wed Nov 26 19:39:35 1997
+++ nmh-0.27/mts/smtp/smtp.c	Sat Jul 18 14:04:47 1998
@@ -76,7 +76,7 @@
 #endif
 
 
-#define	MAXEHLO	20
+#define	MAXEHLO	30
 
 static int doingEHLO;
 char *EHLOkeys[MAXEHLO + 1];
@@ -247,7 +247,7 @@
 
 		if ((dp = strrchr(*ap, '/')) && *++dp == NULL)
 		    *--dp = NULL;
-		sprintf (sm_tmpfil, "%s/smtpXXXXXX", *ap);
+		snprintf (sm_tmpfil, sizeof(sm_tmpfil), "%s/smtpXXXXXX", *ap);
 		mktemp (sm_tmpfil);
 
 		if ((sd = creat (sm_tmpfil, 0600)) != NOTOK) {
@@ -486,16 +486,17 @@
     char *dp, *bp, *cp, s;
     char buffer[BUFSIZ], sender[BUFSIZ];
     FILE *fp, *gp;
+    int len=BUFSIZ;
 
     gp = NULL;
     k = strlen (file) - sizeof(".bulk");
     if ((fp = fopen (file, "r")) == NULL) {
-	sprintf (bp = sm_reply.text, "unable to read %s: ", file);
+	len-=snprintf (bp = sm_reply.text, BUFSIZ,  "unable to read %s: ", file);
 	bp += strlen (bp);
 	if ((s = strerror (errno)))
-	    strcpy (bp, s);
+	    len-=snprinf(bp, len, "%s", s);
 	else
-	    sprintf (bp, "Error %d", errno);
+	    len-=snprintf (bp, len, "Error %d", errno);
 	sm_reply.length = strlen (sm_reply.text);
 	sm_reply.code = NOTOK;
 	return RP_BHST;
@@ -520,10 +521,10 @@
 	    fflush (stdout);
 	}
 losing0: ;
-	sprintf (buffer, "%s.bad", file);
+	snprintf (buffer, BUFSIZ, "%s.bad", file);
 	rename (file, buffer);
 	if (gp) {
-	    sprintf (buffer, "%*.*sA.bulk", k, k, file);
+	    snprintf (buffer, BUFSIZ, "%*.*sA.bulk", k, k, file);
 	    unlink (buffer);
 	    fclose (gp);
 	}
@@ -557,13 +558,15 @@
 
     for (dp = cp, i = cc - 1; i > 0; dp += cc, i -= cc)
 	if ((cc = write (fileno (sm_wfp), dp, i)) == NOTOK) {
+	    len=BUFSIZ;
 losing3: ;
 	    strcpy (bp = sm_reply.text, "error writing to server: ");
 	    bp += strlen (bp);
+	    len -= strlen(bp);
 	    if ((s = strerror (errno)))
-		strcpy (bp, s);
+		len-=snprintf(bp, len, "%s", s);
 	    else
-		sprintf (bp, "unknown error %d", errno);
+		len-=snprintf (bp, len, "unknown error %d", errno);
 	    sm_reply.length = strlen (sm_reply.text);
 	    goto losing2;
 	}
@@ -627,7 +630,7 @@
 		    break;
 		if (gp == NULL) {
 		    int	    l;
-		    sprintf (buffer, "%*.*sA.bulk", k, k, file);
+		    snprintf (buffer, BUFSIZ, "%*.*sA.bulk", k, k, file);
 		    if ((gp = fopen (buffer, "w+")) == NULL)
 			goto bad_data;
 		    fprintf (gp, "MAIL FROM:<>\r\nRCPT TO:%sDATA\r\n", sender);
@@ -664,7 +667,7 @@
 		smtalk (SM_RSET, "RSET");
 		free (cp);
 		if (gp) {
-		    sprintf (buffer, "%*.*sA.bulk", k, k, file);
+		    snprintf (buffer, BUFSIZ, "%*.*sA.bulk", k, k, file);
 		    unlink (buffer);
 		    fclose (gp);
 		}
@@ -708,12 +711,13 @@
 	for (dp = cp, i = cc; i > 0; dp += j, i -= j)
 	    if ((j = fread (cp, sizeof(*cp), i, fp)) == OK) {
 		if (ferror (fp)) {
-		    sprintf (bp = sm_reply.text, "error reading %s: ", file);
+		    len=BUFSIZ;
+		    len-=snprintf (bp = sm_reply.text, len, "error reading %s: ", file);
 		    bp += strlen (bp);
 		    if ((s = strerror (errno)))
-			strcpy (bp, s);
+			len-=snprintf(bp, len, "%s", s);
 		    else
-			sprintf (bp, "unknown error %d", errno);
+			len-=snprintf (bp, len, "unknown error %d", errno);
 		    sm_reply.length = strlen (sm_reply.text);
 		    goto losing2;
 		}
@@ -754,7 +758,7 @@
 	default: 
 	    result = RP_NO;
 	    if (gp) {
-		sprintf (buffer, "%*.*sA.bulk", k, k, file);
+		snprintf (buffer, BUFSIZ, "%*.*sA.bulk", k, k, file);
 		unlink (buffer);
 		fclose (gp);
 		gp = NULL;
@@ -775,7 +779,7 @@
 		fseek (gp, 0L, SEEK_SET);
 	    }
     	    else {
-		sprintf (buffer, "%*.*sA.bulk", k, k, file);
+		snprintf (buffer, BUFSIZ, "%*.*sA.bulk", k, k, file);
 		if ((gp = fopen (buffer, "w")) == NULL)
 		    break;
 	    }
@@ -816,7 +820,7 @@
     va_list ap;
 
     va_start(ap, fmt);
-    vsprintf (sm_reply.text, fmt, ap);
+    vsnprintf (sm_reply.text, BUFSIZ, fmt, ap);
     va_end(ap);
 
     sm_reply.length = strlen (sm_reply.text);
@@ -834,7 +838,7 @@
     char buffer[BUFSIZ];
 
     va_start(ap, fmt);
-    vsprintf (buffer, fmt, ap);
+    vsnprintf (buffer, BUFSIZ, fmt, ap);
     va_end(ap);
 
     if (sm_debug) {
@@ -854,18 +858,19 @@
 	        fflush (sm_wfp);
 	        if (ferror (sm_wfp))
 		    return sm_werror ();
-		sprintf (file, "%s%c.bulk", sm_tmpfil,
+		snprintf (file, BUFSIZ, "%s%c.bulk", sm_tmpfil,
 				(char) (sm_ispool + 'a' - 1));
 		if (rename (sm_tmpfil, file) == NOTOK) {
 		    char   *bp;
-		    sprintf (bp = sm_reply.text,
+		    int len=BUFSIZ;
+		    len-=snprintf (bp = sm_reply.text, len,
 				    "error renaming %s to %s: ",
 				    sm_tmpfil, file);
 		    bp += strlen (bp);
 		    if ((s = strerror (errno)))
-			strcpy (bp, s);
+			len-=snprintf(bp, len, "%s", s);
 		    else
-			sprintf (bp, "unknown error %d", errno);
+			len-=snprintf (bp, len, "unknown error %d", errno);
 		    sm_reply.length = strlen (sm_reply.text);
 		    sm_reply.code = NOTOK;
 		    return RP_BHST;
@@ -1012,6 +1017,7 @@
     int i, code, cont, bc, rc, more;
     char *bp, *rp;
     char **ehlo, buffer[BUFSIZ];
+    int len = BUFSIZ;
 
     if (doingEHLO) {
 	static int at_least_once = 0;
@@ -1091,10 +1097,14 @@
 	}
 
 	if ((i = min (bc, rc)) > 0) {
-	    strncpy (rp, bp, i);
+	    if(len>i)
+	    {
+		    strncpy (rp, bp, i);
+		    len-=i;
+	    }
 	    rp += i, rc -= i;
 	    if (more && rc > strlen (sm_moreply) + 1) {
-		strcpy (sm_reply.text + rc, sm_moreply);
+		snprintf(sm_reply.text + rc, BUFSIZ-rc, "%s", sm_moreply);
 		rc += strlen (sm_moreply);
 	    }
 	}
@@ -1193,7 +1203,7 @@
 	case RP_BHST: 
 	default: 
 	    text = "BHST";
-	    sprintf (buffer, "[%s] %s", text, sm_reply.text);
+	    snprintf (buffer, BUFSIZ,  "[%s] %s", text, sm_reply.text);
 	    return buffer;
 
 	case RP_PARM: 
@@ -1213,7 +1223,7 @@
 	    break;
     }
 
-    sprintf (buffer, "[%s] %3d %s", text, sm_reply.code, sm_reply.text);
+    snprintf (buffer, BUFSIZ, "[%s] %3d %s", text, sm_reply.code, sm_reply.text);
     return buffer;
 }
 
--- nmh-0.27/mts/sendmail/hosts.c.security	Thu Jan 22 18:20:36 1998
+++ nmh-0.27/mts/sendmail/hosts.c	Sat Jul 18 14:04:47 1998
@@ -39,7 +39,7 @@
     char **r;
     struct host *h;
 
-    for (p = name, q = site; *p; p++, q++)
+    for (p = name, q = site; *p; p++, q++ && q-site < BUFSIZ)
 	*q = isupper (*p) ? tolower (*p) : *p;
     *q = 0;
     q = site;
--- nmh-0.27/mts/sendmail/sendmail.c.security	Wed Nov 26 19:38:55 1997
+++ nmh-0.27/mts/sendmail/sendmail.c	Sat Jul 18 14:04:47 1998
@@ -80,7 +80,7 @@
 
 static int doingEHLO;
 
-#define	MAXEHLO	10
+#define	MAXEHLO	20		/* 10 isnt enough nowdays */
 char *EHLOkeys[MAXEHLO + 1];
 
 /*
@@ -428,7 +428,7 @@
     va_list ap;
 
     va_start(ap, fmt);
-    vsprintf (sm_reply.text, fmt, ap);
+    vsnprintf (sm_reply.text, BUFSIZ, fmt, ap);
     va_end(ap);
 
     sm_reply.length = strlen (sm_reply.text);
@@ -444,9 +444,10 @@
     int result;
     char buffer[BUFSIZ];
     va_list ap;
+    int len=BUFSIZ;
 
     va_start(ap, fmt);
-    vsprintf (buffer, fmt, ap);
+    vsnprintf (buffer, BUFSIZ, fmt, ap);
     va_end(ap);
 
     if (sm_debug) {
@@ -466,18 +467,18 @@
 	        fflush (sm_wfp);
 	        if (ferror (sm_wfp))
 		    return sm_werror ();
-		sprintf (file, "%s%c.bulk", sm_tmpfil,
+		snprintf (file, BUFSIZ, "%s%c.bulk", sm_tmpfil,
 				(char) (sm_ispool + 'a' - 1));
 		if (rename (sm_tmpfil, file) == NOTOK) {
 		    char   *bp;
-		    sprintf (bp = sm_reply.text,
+		    len-=snprintf (bp = sm_reply.text, BUFSIZ, 
 				    "error renaming %s to %s: ",
 				    sm_tmpfil, file);
 		    bp += strlen (bp);
 		    if ((s = strerror (errno)))
-			strcpy (bp, s);
-		    else
-			sprintf (bp, "unknown error %d", errno);
+			len-=snprintf(bp, len, "%s",s);
+		    else 
+			len-=snprintf (bp, len, "unknown error %d", errno);
 		    sm_reply.length = strlen (sm_reply.text);
 		    sm_reply.code = NOTOK;
 		    return RP_BHST;
@@ -694,8 +695,11 @@
 	    strncpy (rp, bp, i);
 	    rp += i, rc -= i;
 	    if (more && rc > strlen (sm_moreply) + 1) {
-		strcpy (sm_reply.text + rc, sm_moreply);
-		rc += strlen (sm_moreply);
+		if(rc<BUFSIZ)
+		{
+			strncpy (sm_reply.text + rc, sm_moreply, BUFSIZ-rc);
+			rc += strlen (sm_moreply);
+		}
 	    }
 	}
 	if (more)
@@ -795,7 +799,7 @@
 	case RP_BHST: 
 	default: 
 	    text = "BHST";
-	    sprintf (buffer, "[%s] %s", text, sm_reply.text);
+	    snprintf (buffer, BUFSIZ,  "[%s] %s", text, sm_reply.text);
 	    return buffer;
 
 	case RP_PARM: 
@@ -815,7 +819,7 @@
 	    break;
     }
 
-    sprintf (buffer, "[%s] %3d %s", text, sm_reply.code, sm_reply.text);
+    snprintf (buffer, BUFSIZ, "[%s] %3d %s", text, sm_reply.code, sm_reply.text);
     return buffer;
 }
 
--- nmh-0.27/uip/ali.c.security	Fri Feb 27 00:41:41 1998
+++ nmh-0.27/uip/ali.c	Sat Jul 18 16:24:00 1998
@@ -54,7 +54,7 @@
 {
     int i, vecp = 0, inverted = 0, list = 0;
     int noalias = 0, normalize = AD_NHST;
-    char *cp, **ap, **argp, buf[100];
+    char *cp, **ap, **argp, buf[BUFSIZ];
     char *vec[NVEC], *arguments[MAXARGS];
     struct aka *ak;
 
@@ -63,13 +63,13 @@
 #endif
     invo_name = r1bindex (argv[0], '/');
     mts_init (invo_name);
-    if ((cp = context_find (invo_name))) {
+    if ((cp = context_find (invo_name)) != NULL) {
 	ap = brkstring (cp = getcpy (cp), " ", "\n");
-	ap = copyip (ap, arguments);
+	ap = copyip_n(ap, arguments, MAXARGS);
     } else {
 	ap = arguments;
     }
-    copyip (argv + 1, ap);
+    copyip_n(argv + 1, ap, MAXARGS);
     argp = arguments;
 
     while ((cp = *argp++)) {
@@ -82,7 +82,7 @@
 		    adios (NULL, "-%s unknown", cp);
 
 		case HELPSW: 
-		    sprintf (buf, "%s [switches] aliases ...", invo_name);
+		    snprintf (buf, BUFSIZ, "%s [switches] aliases ...", invo_name);
 		    print_help (buf, switches, 1);
 		    done (1);
 		case VERSIONSW:
@@ -126,7 +126,7 @@
 
     if (!noalias) {
 	/* allow Aliasfile: profile entry */
-	if ((cp = context_find ("Aliasfile"))) {
+	if ((cp = context_find ("Aliasfile")) != NULL) {
 	    char *dp = NULL;
 
 	    for (ap = brkstring(dp = getcpy(cp), " ", "\n"); ap && *ap; ap++)
--- nmh-0.27/uip/aliasbr.c.security	Wed Feb 25 17:22:56 1998
+++ nmh-0.27/uip/aliasbr.c	Sat Jul 18 14:04:47 1998
@@ -250,23 +250,23 @@
 
     switch (i) {
 	case AK_NOFILE: 
-	    sprintf (buffer, "unable to read '%s'", akerrst);
+	    snprintf (buffer, BUFSIZ, "unable to read '%s'", akerrst);
 	    break;
 
 	case AK_ERROR: 
-	    sprintf (buffer, "error in line '%s'", akerrst);
+	    snprintf (buffer, BUFSIZ, "error in line '%s'", akerrst);
 	    break;
 
 	case AK_LIMIT: 
-	    sprintf (buffer, "out of memory while on '%s'", akerrst);
+	    snprintf (buffer, BUFSIZ, "out of memory while on '%s'", akerrst);
 	    break;
 
 	case AK_NOGROUP: 
-	    sprintf (buffer, "no such group as '%s'", akerrst);
+	    snprintf (buffer, BUFSIZ, "no such group as '%s'", akerrst);
 	    break;
 
 	default: 
-	    sprintf (buffer, "unknown error (%d)", i);
+	    snprintf (buffer, BUFSIZ, "unknown error (%d)", i);
 	    break;
     }
 
@@ -582,7 +582,7 @@
      * The only place where there might be problems.
      * This assumes that ALL usernames are kept in lowercase.
      */
-    for (c = name, c1 = lname; *c; c++, c1++) {
+    for (c = name, c1 = lname; *c && c1-lname < 32; c++, c1++) {
         if (isalpha(*c) && isupper(*c))
 	    *c1 = tolower (*c);
 	else
--- nmh-0.27/uip/anno.c.security	Wed Jan 14 21:05:47 1998
+++ nmh-0.27/uip/anno.c	Sat Jul 18 16:24:20 1998
@@ -39,7 +39,7 @@
     int inplace = 1, datesw = 1;
     int msgp = 0, msgnum;
     char *cp, *maildir, *comp = NULL;
-    char *text = NULL, *folder = NULL, buf[100], **ap;
+    char *text = NULL, *folder = NULL, buf[BUFSIZ], **ap;
     char **argp, *arguments[MAXARGS], *msgs[MAXARGS];
     struct msgs *mp;
 
@@ -47,13 +47,13 @@
     setlocale(LC_ALL, "");
 #endif
     invo_name = r1bindex (argv[0], '/');
-    if ((cp = context_find (invo_name))) {
+    if ((cp = context_find (invo_name)) != NULL) {
 	ap = brkstring (cp = getcpy (cp), " ", "\n");
-	ap = copyip (ap, arguments);
+	ap = copyip_n(ap, arguments, MAXARGS);
     } else {
 	ap = arguments;
     }
-    copyip (argv + 1, ap);
+    copyip_n(argv + 1, ap, MAXARGS);
     argp = arguments;
 
     while ((cp = *argp++)) {
@@ -66,7 +66,7 @@
 		    adios (NULL, "-%s unknown", cp);
 
 		case HELPSW: 
-		    sprintf (buf, "%s [+folder] [msgs] [switches]", invo_name);
+		    snprintf (buf, BUFSIZ, "%s [+folder] [msgs] [switches]", invo_name);
 		    print_help (buf, switches, 1);
 		    done (1);
 		case VERSIONSW:
@@ -116,7 +116,7 @@
 	datesw = 0;
 #endif	/* UCI */
 
-    if (!context_find ("path"))
+    if (context_find ("path") == NULL)
 	free (path ("./", TFOLDER));
     if (!msgp)
 	msgs[msgp++] = "cur";
--- nmh-0.27/uip/annosbr.c.security	Sat Aug  2 00:40:20 1997
+++ nmh-0.27/uip/annosbr.c	Sat Jul 18 14:04:47 1998
@@ -52,7 +52,7 @@
 
     mode = fstat (fd, &st) != NOTOK ? (st.st_mode & 0777) : m_gmprot ();
 
-    strcpy (tmpfil, m_scratch (file, "annotate"));
+    strncpy (tmpfil, m_scratch (file, "annotate"), BUFSIZ);
 
     if ((tmp = fopen (tmpfil, "w")) == NULL) {
 	admonish (tmpfil, "unable to create");
--- nmh-0.27/uip/ap.c.security	Wed Jan 14 21:06:00 1998
+++ nmh-0.27/uip/ap.c	Sat Jul 18 16:24:35 1998
@@ -55,7 +55,7 @@
     int addrp = 0, normalize = AD_HOST;
     int width = 0, status = 0;
     char *cp, *form = NULL, *format = NULL, *nfs;
-    char buf[80], **ap, **argp;
+    char buf[BUFSIZ], **ap, **argp;
     char *arguments[MAXARGS], *addrs[NADDRS];
 
 #ifdef LOCALE
@@ -63,13 +63,13 @@
 #endif
     invo_name = r1bindex (argv[0], '/');
     mts_init (invo_name);
-    if ((cp = context_find (invo_name))) {
+    if ((cp = context_find (invo_name)) != NULL) {
 	ap = brkstring (cp = getcpy (cp), " ", "\n");
-	ap = copyip (ap, arguments);
+	ap = copyip_n(ap, arguments, MAXARGS);
     } else {
 	ap = arguments;
     }
-    copyip (argv + 1, ap);
+    copyip_n(argv + 1, ap, MAXARGS);
     argp = arguments;
 
     while ((cp = *argp++)) {
@@ -83,7 +83,7 @@
 		    adios (NULL, "-%s unknown", cp);
 
 		case HELPSW: 
-		    sprintf (buf, "%s [switches] addrs ...", invo_name);
+		    snprintf (buf, BUFSIZ, "%s [switches] addrs ...", invo_name);
 		    print_help (buf, switches, 1);
 		    done (1);
 		case VERSIONSW:
--- nmh-0.27/uip/burst.c.security	Wed May 20 11:16:21 1998
+++ nmh-0.27/uip/burst.c	Sat Jul 18 16:24:53 1998
@@ -47,7 +47,7 @@
 {
     int inplace = 0, quietsw = 0, verbosw = 0;
     int msgp = 0, hi, msgnum, numburst;
-    char *cp, *maildir, *folder = NULL, buf[100], **ap;
+    char *cp, *maildir, *folder = NULL, buf[BUFSIZ], **ap;
     char **argp, *arguments[MAXARGS], *msgs[MAXARGS];
     struct smsg *smsgs;
     struct msgs *mp;
@@ -56,13 +56,13 @@
     setlocale(LC_ALL, "");
 #endif
     invo_name = r1bindex (argv[0], '/');
-    if ((cp = context_find (invo_name))) {
+    if ((cp = context_find (invo_name)) != NULL) {
 	ap = brkstring (cp = getcpy (cp), " ", "\n");
-	ap = copyip (ap, arguments);
+	ap = copyip_n(ap, arguments, MAXARGS);
     } else {
 	ap = arguments;
     }
-    copyip (argv + 1, ap);
+    copyip_n(argv + 1, ap, MAXARGS);
     argp = arguments;
 
     while ((cp = *argp++)) {
@@ -75,7 +75,7 @@
 		adios (NULL, "-%s unknown\n", cp);
 
 	    case HELPSW: 
-		sprintf (buf, "%s [+folder] [msgs] [switches]", invo_name);
+		snprintf (buf, BUFSIZ, "%s [+folder] [msgs] [switches]", invo_name);
 		print_help (buf, switches, 1);
 		done (1);
 	    case VERSIONSW:
@@ -114,7 +114,7 @@
 	}
     }
 
-    if (!context_find ("path"))
+    if (context_find ("path") == NULL)
 	free (path ("./", TFOLDER));
     if (!msgp)
 	msgs[msgp++] = "cur";
@@ -293,8 +293,8 @@
      */
     if (inplace) {
 	for (i = mp->hghmsg; j > msgnum; i--, j--) {
-	    strcpy (f1, m_name (i));
-	    strcpy (f2, m_name (j));
+	    strncpy (f1, m_name (i), BUFSIZ);
+	    strncpy (f2, m_name (j), BUFSIZ);
 	    if (does_exist (mp, j)) {
 		if (verbosw)
 		    printf ("message %d becomes message %d\n", j, i);
@@ -313,8 +313,8 @@
     /* new hghmsg is hghmsg + numburst */
     i = inplace ? msgnum + numburst : mp->hghmsg;
     for (j = numburst; j >= (inplace ? 0 : 1); i--, j--) {
-	strcpy (f1, m_name (i));
-	strcpy (f2, m_scratch ("", invo_name));
+	strncpy (f1, m_name (i), BUFSIZ);
+	strncpy (f2, m_scratch ("", invo_name), BUFSIZ);
 	if (verbosw && i != msgnum)
 	    printf ("message %d of digest %d becomes message %d\n", j, msgnum, i);
 
@@ -327,7 +327,7 @@
 	fclose (out);
 
 	if (i == msgnum) {
-	    strcpy (f3, m_backup (f1));
+	    strncpy (f3, m_backup (f1), BUFSIZ);
 	    if (rename (f1, f3) == NOTOK)
 		admonish (f3, "unable to rename %s to", f1);
 	}
--- nmh-0.27/uip/comp.c.security	Wed Jul  1 00:14:37 1998
+++ nmh-0.27/uip/comp.c	Sat Jul 18 16:25:17 1998
@@ -80,13 +80,13 @@
     setlocale(LC_ALL, "");
 #endif
     invo_name = r1bindex (argv[0], '/');
-    if ((cp = context_find (invo_name))) {
+    if ((cp = context_find (invo_name)) != NULL) {
 	ap = brkstring (cp = getcpy (cp), " ", "\n");
-	ap = copyip (ap, arguments);
+	ap = copyip_n(ap, arguments, BUFSIZ);
     } else {
 	ap = arguments;
     }
-    copyip (argv + 1, ap);
+    copyip_n(argv + 1, ap, BUFSIZ);
     argp = arguments;
 
     while ((cp = *argp++)) {
@@ -99,7 +99,7 @@
 		    adios (NULL, "-%s unknown", cp);
 
 		case HELPSW: 
-		    sprintf (buf, "%s [+folder] [msg] [switches]", invo_name);
+		    snprintf (buf, BUFSIZ, "%s [+folder] [msg] [switches]", invo_name);
 		    print_help (buf, switches, 1);
 		    done (1);
 		case VERSIONSW:
@@ -179,7 +179,7 @@
 
     cwd = getcpy (pwd ());
 
-    if (!context_find ("path"))
+    if (context_find ("path") == NULL)
 	free (path ("./", TFOLDER));
 
     /* Check if we are using a draft folder */
@@ -235,7 +235,7 @@
     }
 
 try_it_again:
-    strcpy (drft, m_draft (dfolder, file, use, &isdf));
+    strncpy (drft, m_draft (dfolder, file, use, &isdf), BUFSIZ);
 
     /*
      * Check if we have an existing draft
--- nmh-0.27/uip/conflict.c.security	Wed Jan 14 21:07:48 1998
+++ nmh-0.27/uip/conflict.c	Sat Jul 18 14:04:48 1998
@@ -61,7 +61,7 @@
 {
     int	akp = 0, dp = 0;
     char *cp, **argp = argv + 1;
-    char buf[80], *akv[50];
+    char buf[BUFSIZ], *akv[50];
 
 #ifdef LOCALE
     setlocale(LC_ALL, "");
@@ -83,7 +83,7 @@
 		    adios (NULL, "-%s unknown", cp);
 
 		case HELPSW: 
-		    sprintf (buf, "%s [switches] [aliasfiles ...]", invo_name);
+		    snprintf (buf, BUFSIZ, "%s [switches] [aliasfiles ...]", invo_name);
 		    print_help (buf, switches, 0);
 		    done (1);
 		case VERSIONSW:
@@ -539,3 +539,4 @@
 	fprintf (out, "all group leaders accounted for\n");
 }
 #endif	/* UCI */
+
--- nmh-0.27/uip/dist.c.security	Wed Jul  1 00:15:07 1998
+++ nmh-0.27/uip/dist.c	Sat Jul 18 16:25:35 1998
@@ -73,7 +73,7 @@
     int nwhat = 0, i, in, isdf = 0, out;
     char *cp, *cwd, *maildir, *msgnam, *dfolder = NULL;
     char *dmsg = NULL, *ed = NULL, *file = NULL, *folder = NULL;
-    char *form = NULL, *msg = NULL, buf[100], drft[BUFSIZ];
+    char *form = NULL, *msg = NULL, buf[BUFSIZ], drft[BUFSIZ];
     char **ap, **argp, *arguments[MAXARGS];
     struct msgs *mp = NULL;
     struct stat st;
@@ -82,13 +82,13 @@
     setlocale(LC_ALL, "");
 #endif
     invo_name = r1bindex (argv[0], '/');
-    if ((cp = context_find (invo_name))) {
+    if ((cp = context_find (invo_name)) != NULL) {
 	ap = brkstring (cp = getcpy (cp), " ", "\n");
-	ap = copyip (ap, arguments);
+	ap = copyip_n(ap, arguments, MAXARGS);
     } else {
 	ap = arguments;
     }
-    copyip (argv + 1, ap);
+    copyip_n(argv + 1, ap, MAXARGS);
     argp = arguments;
 
     while ((cp = *argp++)) {
@@ -101,7 +101,7 @@
 		    adios (NULL, "-%s unknown", cp);
 
 		case HELPSW: 
-		    sprintf (buf, "%s [+folder] [msg] [switches]", invo_name);
+		    snprintf (buf, BUFSIZ, "%s [+folder] [msg] [switches]", invo_name);
 		    print_help (buf, switches, 1);
 		    done (1);
 		case VERSIONSW:
@@ -187,7 +187,7 @@
 
     cwd = getcpy (pwd ());
 
-    if (!context_find ("path"))
+    if (context_find ("path") == NULL)
 	free (path ("./", TFOLDER));
     if (file && (msg || folder))
 	adios (NULL, "can't mix files and folders/msgs");
@@ -202,7 +202,7 @@
     }
 
 try_it_again:
-    strcpy (drft, m_draft (dfolder, dmsg, NOUSE, &isdf));
+    strncpy (drft, m_draft (dfolder, dmsg, NOUSE, &isdf), BUFSIZ);
 
     /* Check if draft already exists */
     if (stat (drft, &st) != NOTOK) {
--- nmh-0.27/uip/distsbr.c.security	Wed Dec 17 02:09:47 1997
+++ nmh-0.27/uip/distsbr.c	Sat Jul 18 14:04:48 1998
@@ -49,9 +49,9 @@
 	    case FLDPLUS: 
 	    case FLDEOF: 
 		if (uprf (name, "distribute-"))
-		    sprintf (name, "%s%s", "Resent", &name[10]);
+		    snprintf (name, NAMESZ, "%s%s", "Resent", &name[10]);
 		if (uprf (name, "distribution-"))
-		    sprintf (name, "%s%s", "Resent", &name[12]);
+		    snprintf (name, NAMESZ, "%s%s", "Resent", &name[12]);
 		if (!uprf (name, "resent")) {
 		    advise (NULL, BADHDR, "draft", name);
 		    goto leave_bad;
@@ -135,7 +135,7 @@
     if ((ifp = fopen (msgnam, "r")) == NULL)
 	adios (msgnam, "unable to open message");
 
-    strcpy (tmpfil, m_tmpfil ("dist"));
+    strncpy (tmpfil, m_tmpfil ("dist"), BUFSIZ);
     if ((hdrfd = open (tmpfil, O_RDWR | O_CREAT | O_TRUNC, 0600)) == NOTOK)
 	adios (tmpfil, "unable to re-open temporary file");
     if ((out = dup (hdrfd)) == NOTOK
@@ -165,7 +165,7 @@
 	    case BODYEOF: 
 		fclose (ofp);
 
-		strcpy (tmpfil, m_tmpfil ("dist"));
+		strncpy (tmpfil, m_tmpfil ("dist"), BUFSIZ);
 		if ((txtfd = open (tmpfil, O_RDWR | O_CREAT | O_TRUNC, 0600)) == NOTOK)
 		    adios (tmpfil, "unable to open temporary file");
 		if ((out = dup (txtfd)) == NOTOK
--- nmh-0.27/uip/dp.c.security	Wed Jan 14 21:08:15 1998
+++ nmh-0.27/uip/dp.c	Sat Jul 18 16:25:47 1998
@@ -50,20 +50,20 @@
 {
     int datep = 0, width = 0, status = 0;
     char *cp, *form = NULL, *format = NULL, *nfs;
-    char buf[80], **ap, **argp, *arguments[MAXARGS];
+    char buf[BUFSIZ], **ap, **argp, *arguments[MAXARGS];
     char *dates[NDATES];
 
 #ifdef LOCALE
     setlocale(LC_ALL, "");
 #endif
     invo_name = r1bindex (argv[0], '/');
-    if ((cp = context_find (invo_name))) {
+    if ((cp = context_find (invo_name)) != NULL) {
 	ap = brkstring (cp = getcpy (cp), " ", "\n");
-	ap = copyip (ap, arguments);
+	ap = copyip_n(ap, arguments, MAXARGS);
     } else {
 	ap = arguments;
     }
-    copyip (argv + 1, ap);
+    copyip_n(argv + 1, ap, MAXARGS);
     argp = arguments;
 
     while ((cp = *argp++)) {
@@ -76,7 +76,7 @@
 		    adios (NULL, "-%s unknown", cp);
 
 		case HELPSW: 
-		    sprintf (buf, "%s [switches] dates ...", invo_name);
+		    snprintf (buf, BUFSIZ, "%s [switches] dates ...", invo_name);
 		    print_help (buf, switches, 1);
 		    done (1);
 		case VERSIONSW:
--- nmh-0.27/uip/dropsbr.c.security	Fri Feb 13 00:57:21 1998
+++ nmh-0.27/uip/dropsbr.c	Sat Jul 18 14:04:48 1998
@@ -355,12 +355,12 @@
 			char tmpbuffer[BUFSIZ];
 			char *tp, *ep, *fp;
 
-			strcpy(tmpbuffer, buffer);
+			strncpy(tmpbuffer, buffer, BUFSIZ);
 			ep = tmpbuffer + 13;
 			if (!(fp = strchr(ep + 1, ' ')))
 			    fp = strchr(ep + 1, '\n');
 			tp = dctime(dlocaltimenow());
-			sprintf (buffer, "From %.*s  %s", fp - ep, ep, tp);
+			snprintf (buffer, BUFSIZ, "From %.*s  %s", fp - ep, ep, tp);
 		    } else if (!strncmp (buffer, "X-Envelope-From:", 16)) {
 			/*
 			 * Change the "X-Envelope-From:" field
@@ -369,9 +369,9 @@
 			char tmpbuffer[BUFSIZ];
 			char *ep;
 
-			strcpy(tmpbuffer, buffer);
+			strncpy(tmpbuffer, buffer, BUFSIZ);
 			ep = tmpbuffer + 17;
-			sprintf (buffer, "From %s", ep);
+			snprintf (buffer, BUFSIZ, "From %s", ep);
 		    } else if (strncmp (buffer, "From ", 5)) {
 			/*
 			 * If there is already a "From " line,
@@ -380,11 +380,11 @@
 			char tmpbuffer[BUFSIZ];
 			char *tp, *ep;
 
-			strcpy(tmpbuffer, buffer);
+			strncpy(tmpbuffer, buffer, BUFSIZ);
 			ep = "nobody@nowhere";
 			tp = dctime(dlocaltimenow());
-			sprintf (buffer, "From %s  %s", ep, tp);
-			strcat (buffer, tmpbuffer);
+			snprintf (buffer, BUFSIZ, "From %s  %s", ep, tp);
+			strncat (buffer, tmpbuffer, BUFSIZ-strlen(buffer));
 		    }
 		}
 
@@ -469,9 +469,9 @@
     if ((dp = strchr(cp = r1bindex (file, '/'), '.')) == NULL)
 	dp = cp + strlen (cp);
     if (cp == file)
-	sprintf (buffer, ".%.*s%s", dp - cp, cp, ".map");
+	snprintf (buffer, BUFSIZ, ".%.*s%s", dp - cp, cp, ".map");
     else
-	sprintf (buffer, "%.*s.%.*s%s", cp - file, file, dp - cp, cp, ".map");
+	snprintf (buffer, BUFSIZ, "%.*s.%.*s%s", cp - file, file, dp - cp, cp, ".map");
 
     return buffer;
 }
--- nmh-0.27/uip/flist.c.security	Fri May  8 13:02:18 1998
+++ nmh-0.27/uip/flist.c	Sat Jul 18 14:04:48 1998
@@ -114,7 +114,7 @@
     char *cp, **ap;
     char **argp, **lastArg;
     char *arguments[MAXARGS];
-    char buf[100];
+    char buf[BUFSIZ];
 
 #ifdef LOCALE
     setlocale(LC_ALL, "");
@@ -130,11 +130,11 @@
 
     if ((cp = context_find(invo_name)) != NULL) {
 	ap = brkstring(cp = getcpy(cp), " ", "\n");
-	ap = copyip(ap, arguments);
+	ap = copyip_n(ap, arguments, MAXARGS);
     } else {
 	ap = arguments;
     }
-    lastArg = copyip(argv + 1, ap);
+    lastArg = copyip_n(argv + 1, ap, MAXARGS);
     argp = arguments;
     argc = lastArg - argp;
     foldersToDo = (char **) malloc(argc * sizeof(char *));
@@ -150,7 +150,7 @@
 		adios(NULL, "-%s unknown", cp);
 
 	    case HELPSW:
-		sprintf(buf, "%s [+folder1 [+folder2 ...]][switches]", invo_name);
+		snprintf(buf, BUFSIZ, "%s [+folder1 [+folder2 ...]][switches]", invo_name);
 		print_help(buf, switches, 1);
 		done(1);
 	    case VERSIONSW:
@@ -278,7 +278,7 @@
 
     if (nFoldersToDo > 0) {
 	/* Update context */
-	strcpy (curfolder, foldersToDo[nFoldersToDo - 1]);
+	strncpy (curfolder, foldersToDo[nFoldersToDo - 1], BUFSIZ);
 	context_replace (pfolder, curfolder);/* update current folder */
 	context_save ();                     /* save the context file */
 
@@ -379,10 +379,10 @@
 	}
 	if (dp->d_name[0] == '.')
 	    continue;
-	strcpy(name, base);
+	strncpy(name, base, sizeof(name)-2);
 	if (*base)
 	    strcat(name, "/");
-	strcat(name, dp->d_name);
+	strncat(name, dp->d_name, sizeof(name)-strlen(name));
 	if ((stat(name, &st) != -1) && S_ISDIR(st.st_mode)) {
 	    /*
 	     * Check if this was really a symbolic link pointing
@@ -501,9 +501,9 @@
     for (i = 0; i < nFolders; ++i) {
 	/* Add `+' to end of name of current folder */
 	if (strcmp(curfolder, folders[i].name))
-	    sprintf(tmpname, "%s", folders[i].name);
+	    snprintf(tmpname, BUFSIZ, "%s", folders[i].name);
 	else
-	    sprintf(tmpname, "%s+", folders[i].name);
+	    snprintf(tmpname, BUFSIZ, "%s+", folders[i].name);
 
 	if (folders[i].error) {
 	    printf("%-*s is unreadable\n", maxlen+1, tmpname);
@@ -610,7 +610,7 @@
     char atrcur[BUFSIZ];
     register struct node *np;
 
-    sprintf (atrcur, "atr-%s-", current);
+    snprintf (atrcur, BUFSIZ,  "atr-%s-", current);
     atrlen = strlen (atrcur);
 
     context_read ();
--- nmh-0.27/uip/fmtdump.c.security	Sun Jan 25 05:31:29 1998
+++ nmh-0.27/uip/fmtdump.c	Sat Jul 18 16:25:59 1998
@@ -44,7 +44,7 @@
 {
     int ncomps;
     char *cp, *form = NULL, *format = NULL;
-    char buf[100], **ap, **argp;
+    char buf[BUFSIZ], **ap, **argp;
     char *nfs, *arguments[MAXARGS];
     struct format *fmt;
 
@@ -52,13 +52,13 @@
     setlocale(LC_ALL, "");
 #endif
     invo_name = r1bindex (argv[0], '/');
-    if ((cp = context_find (invo_name))) {
+    if ((cp = context_find (invo_name)) != NULL) {
 	ap = brkstring (cp = getcpy (cp), " ", "\n");
-	ap = copyip (ap, arguments);
+	ap = copyip_n(ap, arguments, BUFSIZ);
     } else {
 	ap = arguments;
     }
-    copyip (argv + 1, ap);
+    copyip_n(argv + 1, ap, BUFSIZ);
     argp = arguments;
 
     while ((cp = *argp++)) {
@@ -71,7 +71,7 @@
 		    adios (NULL, "-%s unknown", cp);
 
 		case HELPSW: 
-		    sprintf (buf, "%s [switches]", invo_name);
+		    snprintf (buf, BUFSIZ,"%s [switches]", invo_name);
 		    print_help (buf, switches, 1);
 		    done (1);
 		case VERSIONSW:
@@ -434,7 +434,8 @@
 	case FT_V_MATCH: return("V_MATCH");
 	case FT_V_AMATCH: return("V_AMATCH");
 	default:
-		printf(buf, "/* ??? #%d */", t);
+		/* Note - this isnt just security it was *wrong* in the original  - AC*/
+		snprintf(buf, sizeof(buf), "/* ??? #%d */", t);
 		return(buf);
 	}
 }
--- nmh-0.27/uip/folder.c.security	Sun Jun  7 16:00:33 1998
+++ nmh-0.27/uip/folder.c	Sat Jul 18 16:28:40 1998
@@ -132,7 +132,7 @@
     int printsw = 0, listsw = 0;
     int pushsw = 0, popsw = 0;
     char *cp, *dp, *msg = NULL, *argfolder = NULL;
-    char **ap, **argp, buf[100], *arguments[MAXARGS];
+    char **ap, **argp, buf[BUFSIZ], *arguments[MAXARGS];
     struct stat st;
 
 #ifdef LOCALE
@@ -147,13 +147,13 @@
     if (argv[0][strlen (argv[0]) - 1] == 's')
 	all = 1;
 
-    if ((cp = context_find (invo_name))) {
+    if ((cp = context_find (invo_name)) != NULL) {
 	ap = brkstring (cp = getcpy (cp), " ", "\n");
-	ap = copyip (ap, arguments);
+	ap = copyip_n(ap, arguments, MAXARGS);
     } else {
 	ap = arguments;
     }
-    copyip (argv + 1, ap);
+    copyip_n(argv + 1, ap, MAXARGS);
     argp = arguments;
 
     while ((cp = *argp++)) {
@@ -166,7 +166,7 @@
 		    adios (NULL, "-%s unknown", cp);
 
 		case HELPSW: 
-		    sprintf (buf, "%s [+folder] [msg] [switches]", invo_name);
+		    snprintf (buf, BUFSIZ, "%s [+folder] [msg] [switches]", invo_name);
 		    print_help (buf, switches, 1);
 		    done (1);
 		case VERSIONSW:
@@ -269,7 +269,7 @@
 	}
     }
 
-    if (!context_find ("path"))
+    if (context_find ("path") == NULL)
 	free (path ("./", TFOLDER));
     nmhdir = concat (m_maildir (""), "/", NULL);
 
@@ -285,7 +285,7 @@
 	if (!argfolder) {
 	    /* If no folder is given, the current folder and */
 	    /* the top of the folder stack are swapped.      */
-	    if ((cp = context_find (stack))) {
+	    if ((cp = context_find (stack)) != NULL) {
 		dp = getcpy (cp);
 		ap = brkstring (dp, " ", "\n");
 		argfolder = getcpy(*ap++);
@@ -309,7 +309,7 @@
     if (popsw) {
 	if (argfolder)
 	    adios (NULL, "sorry, no folders allowed with -pop");
-	if ((cp = context_find (stack))) {
+	if ((cp = context_find (stack)) != NULL) {
 	    dp = getcpy (cp);
 	    ap = brkstring (dp, " ", "\n");
 	    argfolder = getcpy(*ap++);
@@ -339,7 +339,7 @@
     /* Listing the folder stack */
     if (listsw) {
 	printf ("%s", argfolder ? argfolder : getfolder (1));
-	if ((cp = context_find (stack))) {
+	if ((cp = context_find (stack)) != NULL) {
 	    dp = getcpy (cp);
 	    for (ap = brkstring (dp, " ", "\n"); *ap; ap++)
 		printf (" %s", *ap);
@@ -388,13 +388,13 @@
 		dodir (folder);
 	}
     } else {
-	strcpy (folder, argfolder ? argfolder : getfolder (1));
+	strncpy (folder, argfolder ? argfolder : getfolder (1), BUFSIZ);
 
 	/*
 	 * Check if folder exists.  If not, then see if
 	 * we should create it, or just exit.
 	 */
-	if (stat (strcpy (buf, m_maildir (folder)), &st) == -1) {
+	if (stat (strncpy (buf, m_maildir (folder), BUFSIZ), &st) == -1) {
 	    if (errno != ENOENT)
 		adios (buf, "error on folder");
 	    if (fcreat == 0) {
@@ -444,7 +444,7 @@
     if (chdir (nmhdir) == NOTOK)
 	adios (nmhdir, "unable to change directory to");
 
-    addir (strcpy (buffer, dir));
+    addir (strncpy (buffer, dir, BUFSIZ));
 
     for (i = start; i < foldp; i++) {
 	get_folder_info (folds[i], NULL);
@@ -609,9 +609,9 @@
 
 	    /* Add `+' to end of name, if folder is current */
 	    if (strcmp (folder, fi[i].name))
-		sprintf (tmpname, "%s", fi[i].name);
+		snprintf (tmpname, BUFSIZ, "%s", fi[i].name);
 	    else
-		sprintf (tmpname, "%s+", fi[i].name);
+		snprintf (tmpname, BUFSIZ, "%s+", fi[i].name);
 
 	    if (fi[i].error) {
 		printf ("%-*s is unreadable\n", maxlen+1, tmpname);
@@ -809,7 +809,7 @@
     char atrcur[BUFSIZ];
     register struct node *np;
 
-    sprintf (atrcur, "atr-%s-", current);
+    snprintf (atrcur, BUFSIZ, "atr-%s-", current);
     atrlen = strlen (atrcur);
 
     context_read ();
--- nmh-0.27/uip/forw.c.security	Wed Jul  1 00:16:26 1998
+++ nmh-0.27/uip/forw.c	Sat Jul 18 16:29:17 1998
@@ -125,7 +125,7 @@
     char *cp, *cwd, *maildir, *dfolder = NULL;
     char *dmsg = NULL, *digest = NULL, *ed = NULL;
     char *file = NULL, *filter = NULL, *folder = NULL;
-    char *form = NULL, buf[100], value[10], **ap;
+    char *form = NULL, buf[BUFSIZ], value[10], **ap;
     char **argp, *arguments[MAXARGS], *msgs[MAXARGS];
     struct stat st;
 
@@ -137,13 +137,13 @@
     setlocale(LC_ALL, "");
 #endif
     invo_name = r1bindex (argv[0], '/');
-    if ((cp = context_find (invo_name))) {
+    if ((cp = context_find (invo_name)) != NULL) {
 	ap = brkstring (cp = getcpy (cp), " ", "\n");
-	ap = copyip (ap, arguments);
+	ap = copyip_n(ap, arguments, BUFSIZ);
     } else {
 	ap = arguments;
     }
-    copyip (argv + 1, ap);
+    copyip_n(argv + 1, ap, BUFSIZ);
     argp = arguments;
 
     while ((cp = *argp++)) {
@@ -156,7 +156,7 @@
 		    adios (NULL, "-%s unknown", cp);
 
 		case HELPSW: 
-		    sprintf (buf, "%s [+folder] [msgs] [switches]", invo_name);
+		    snprintf (buf, BUFSIZ, "%s [+folder] [msgs] [switches]", invo_name);
 		    print_help (buf, switches, 1);
 		    done (1);
 		case VERSIONSW:
@@ -289,7 +289,7 @@
 
     cwd = getcpy (pwd ());
 
-    if (!context_find ("path"))
+    if (context_find ("path") == NULL)
 	free (path ("./", TFOLDER));
     if (file && (msgp || folder))
 	adios (NULL, "can't mix files and folders/msgs");
@@ -297,13 +297,13 @@
 try_it_again:
 
 #ifdef MHE
-    strcpy (drft, buildsw ? m_maildir ("draft")
-			  : m_draft (dfolder, NULL, NOUSE, &isdf));
+    strncpy (drft, buildsw ? m_maildir ("draft")
+			  : m_draft (dfolder, NULL, NOUSE, &isdf), BUFSIZ);
 
     /* Check if a draft already exists */
     if (!buildsw && stat (drft, &st) != NOTOK) {
 #else
-    strcpy (drft, m_draft (dfolder, dmsg, NOUSE, &isdf));
+    strncpy (drft, m_draft (dfolder, dmsg, NOUSE, &isdf), BUFSIZ);
 
     /* Check if a draft already exists */
     if (stat (drft, &st) != NOTOK) {
@@ -371,7 +371,7 @@
      */
     if (digest) {
 	if (issue == 0) {
-	    sprintf (buf, IFORMAT, digest);
+	    snprintf (buf, BUFSIZ,IFORMAT, digest);
 	    if (volume == 0
 		    && (cp = context_find (buf))
 		    && ((issue = atoi (cp)) < 0))
@@ -379,7 +379,7 @@
 	    issue++;
 	}
 	if (volume == 0)
-	    sprintf (buf, VFORMAT, digest);
+	    snprintf (buf, BUFSIZ, VFORMAT, digest);
 	    if ((cp = context_find (buf)) == NULL || (volume = atoi (cp)) <= 0)
 		volume = 1;
 	if (!form)
@@ -426,10 +426,10 @@
 	close (out);
 
 	if (digest) {
-	    sprintf (buf, IFORMAT, digest);
+	    snprintf (buf, BUFSIZ, IFORMAT, digest);
 	    sprintf (value, "%d", issue);
 	    context_replace (buf, getcpy (value));
-	    sprintf (buf, VFORMAT, digest);
+	    snprintf (buf, BUFSIZ, VFORMAT, digest);
 	    sprintf (value, "%d", volume);
 	    context_replace (buf, getcpy (value));
 	}
@@ -507,7 +507,7 @@
 	    if (mp->numsel >= MAXARGS - i)
 		adios (NULL, "more than %d messages for %s exec",
 			vec[0], MAXARGS - i);
-	    for (msgnum = mp->lowsel; msgnum <= mp->hghsel; msgnum++)
+	    for (msgnum = mp->lowsel; msgnum <= mp->hghsel && i<MAXARGS-1; msgnum++)
 		if (is_selected (mp, msgnum))
 		    vec[i++] = getcpy (m_name (msgnum));
 	    vec[i] = NULL;
@@ -544,13 +544,13 @@
     for (msgnum = mp->lowsel; msgnum <= mp->hghsel; msgnum++) {
 	if (is_selected (mp, msgnum)) {
 	    if (digest)
-		strcpy (buffer, msgnum == mp->lowsel ? delim3 : delim4);
+		strncpy (buffer, msgnum == mp->lowsel ? delim3 : delim4, BUFSIZ);
 	    else {
-		strcpy (bp = buffer, "\n-------"), bp += strlen (bp);
+		strncpy (bp = buffer, "\n-------", BUFSIZ-3), bp += strlen (bp);
 		if (msgnum == mp->lowsel)
-		    sprintf (bp, " Forwarded Message%s", mp->numsel > 1 ? "s" : "");
+		    snprintf (bp, BUFSIZ-(bp-buffer)-2," Forwarded Message%s", mp->numsel > 1 ? "s" : "");
 		else
-		    sprintf (bp, " Message %d", msgcnt);
+		    snprintf (bp, BUFSIZ-(bp-buffer)-2, " Message %d", msgcnt);
 		bp += strlen (bp);
 		strcpy (bp, "\n\n");
 	    }
@@ -578,13 +578,13 @@
     if (digest) {
 	strcpy (buffer, delim4);
     } else {
-	sprintf (buffer, "\n------- End of Forwarded Message%s\n\n",
+	snprintf (buffer, BUFSIZ, "\n------- End of Forwarded Message%s\n\n",
 		mp->numsel > 1 ? "s" : "");
     }
     write (out, buffer, strlen (buffer));
 
     if (digest) {
-	sprintf (buffer, "End of %s Digest [Volume %d Issue %d]\n", digest, volume, issue);
+	snprintf (buffer, BUFSIZ, "End of %s Digest [Volume %d Issue %d]\n", digest, volume, issue);
 	i = strlen (buffer);
 	for (bp = buffer + i; i > 1; i--)
 	    *bp++ = '*';
@@ -605,12 +605,12 @@
     int msgnum;
     char buffer[BUFSIZ];
 
-    sprintf (buffer, "#forw [forwarded message%s] +%s",
+    snprintf (buffer, BUFSIZ, "#forw [forwarded message%s] +%s",
 	mp->numsel == 1 ? "" : "s", mp->foldpath);
     write (out, buffer, strlen (buffer));
     for (msgnum = mp->lowsel; msgnum <= mp->hghsel; msgnum++)
 	if (is_selected (mp, msgnum)) {
-	    sprintf (buffer, " %s", m_name (msgnum));
+	    snprintf (buffer, BUFSIZ, " %s", m_name (msgnum));
 	    write (out, buffer, strlen (buffer));
 	}
     write (out, "\n", 1);
@@ -647,7 +647,7 @@
     dat[3] = fmtsize;
     dat[4] = 0;
 
-    strcpy (tmpfil, m_tmpfil (invo_name));
+    strncpy (tmpfil, m_tmpfil (invo_name), BUFSIZ);
     if ((tmp = fopen (tmpfil, "w+")) == NULL)
 	adios (tmpfil, "unable to create");
     unlink (tmpfil);
--- nmh-0.27/uip/ftpsbr.c.security	Wed Feb 25 17:29:11 1998
+++ nmh-0.27/uip/ftpsbr.c	Sat Jul 18 14:04:48 1998
@@ -99,6 +99,7 @@
 {
     register int eindex;
     char *fmt;
+    int len=BUFSIZ;
 
     eindex = errno;
 
@@ -106,7 +107,7 @@
     fmt = va_arg (ap, char *);
 
     if (fmt) {
-	vsprintf(bp, fmt, ap);
+	len-=vsnprintf(bp, len, fmt, ap);
 	bp += strlen(bp);
     }
 
@@ -114,13 +115,16 @@
 	char *s;
 
 	if (*what) {
-	    sprintf (bp, " %s: ", what);
+	    len-=snprintf (bp, len, " %s: ", what);
 	    bp += strlen (bp);
 	}
 	if ((s = strerror(eindex)))
-	    strcpy (bp, s);
+	{
+	    strncpy (bp, s, len);
+	    len-=strlen(s);
+	}
 	else
-	    sprintf (bp, "Error %d", eindex);
+	    len-=snprintf(bp, len,"Error %d", eindex);
 	bp += strlen (bp);
     }
 
--- nmh-0.27/uip/inc.c.security	Sat May 16 17:28:30 1998
+++ nmh-0.27/uip/inc.c	Sat Jul 18 16:29:50 1998
@@ -165,7 +165,7 @@
     char *format = NULL, *form = NULL;
     char *newmail, *host = NULL;
     char *audfile = NULL, *from = NULL;
-    char buf[100], **ap;
+    char buf[BUFSIZ], **ap;
     char **argp, *nfs, *arguments[MAXARGS];
     char *user = NULL;
     struct msgs *mp;
@@ -218,13 +218,13 @@
 	snoop++;
 #endif /* POP */
 
-    if ((cp = context_find (invo_name))) {
+    if ((cp = context_find (invo_name)) != NULL) {
 	ap = brkstring (cp = getcpy (cp), " ", "\n");
-	ap = copyip (ap, arguments);
+	ap = copyip_n (ap, arguments, MAXARGS);
     } else {
 	ap = arguments;
     }
-    copyip (argv + 1, ap);
+    copyip_n (argv + 1, ap, MAXARGS);
     argp = arguments;
 
     while ((cp = *argp++)) {
@@ -237,7 +237,7 @@
 		adios (NULL, "-%s unknown", cp);
 
 	    case HELPSW: 
-		snprintf (buf, 100, "%s [+folder] [switches]", invo_name);
+		snprintf (buf, BUFSIZ, "%s [+folder] [switches]", invo_name);
 		print_help (buf, switches, 1);
 		done (1);
 	    case VERSIONSW:
@@ -450,7 +450,7 @@
 	goto go_to_it;
 #endif /* POP */
 
-    if (!context_find ("path"))
+    if (context_find ("path") == NULL)
 	free (path ("./", TFOLDER));
     if (!folder)
 	folder = getfolder (0);
@@ -532,7 +532,7 @@
     }
 
 #ifdef MHE
-    if (context_find ("mhe")) {
+    if (context_find ("mhe") != NULL) {
 	cp = concat (maildir, "/++", NULL);
 	i = stat (cp, &st);
 	if ((mhe = fopen (cp, "a")) == NULL)
--- nmh-0.27/uip/install-mh.c.security	Tue Jun 30 22:47:48 1998
+++ nmh-0.27/uip/install-mh.c	Sat Jul 18 14:04:48 1998
@@ -38,7 +38,7 @@
 {
     int i, autof = 0;
     char *cp, *path;
-    char buf[100], *dp;
+    char buf[BUFSIZ], *dp;
     char *arguments[MAXARGS], **argp;
     struct node *np;
     struct passwd *pw;
@@ -49,7 +49,7 @@
     setlocale(LC_ALL, "");
 #endif
     invo_name = r1bindex (argv[0], '/');
-    copyip (argv + 1, arguments);
+    copyip_n (argv + 1, arguments, MAXARGS);
     argp = arguments;
 
     while ((dp = *argp++)) {
@@ -62,7 +62,7 @@
 		    adios (NULL, "-%s unknown\n", dp);
 
 		case HELPSW:
-		    sprintf (buf, "%s [switches]", invo_name);
+		    snprintf (buf, BUFSIZ, "%s [switches]", invo_name);
 		    print_help (buf, switches, 0);
 		    done (1);
 		case VERSIONSW:
--- nmh-0.27/uip/mark.c.security	Wed Jan 14 21:09:46 1998
+++ nmh-0.27/uip/mark.c	Sat Jul 18 16:30:08 1998
@@ -48,7 +48,7 @@
     int addsw = 0, deletesw = 0, debugsw = 0;
     int listsw = 0, publicsw = -1, zerosw = 0;
     int seqp = 0, msgp = 0, msgnum;
-    char *cp, *maildir, *folder = NULL, buf[100];
+    char *cp, *maildir, *folder = NULL, buf[BUFSIZ];
     char **ap, **argp, *arguments[MAXARGS];
     char *seqs[NUMATTRS + 1], *msgs[MAXARGS];
     struct msgs *mp;
@@ -57,13 +57,13 @@
     setlocale(LC_ALL, "");
 #endif
     invo_name = r1bindex (argv[0], '/');
-    if ((cp = context_find (invo_name))) {
+    if ((cp = context_find (invo_name)) != NULL) {
 	ap = brkstring (cp = getcpy (cp), " ", "\n");
-	ap = copyip (ap, arguments);
+	ap = copyip_n(ap, arguments, MAXARGS);
     } else {
 	ap = arguments;
     }
-    copyip (argv + 1, ap);
+    copyip_n(argv + 1, ap, MAXARGS);
     argp = arguments;
 
     while ((cp = *argp++)) {
@@ -76,7 +76,7 @@
 		    adios (NULL, "-%s unknown\n", cp);
 
 		case HELPSW: 
-		    sprintf (buf, "%s [+folder] [msgs] [switches]", invo_name);
+		    snprintf (buf, BUFSIZ, "%s [+folder] [msgs] [switches]", invo_name);
 		    print_help (buf, switches, 1);
 		    done (1);
 		case VERSIONSW:
@@ -146,7 +146,7 @@
 	    listsw++;
     }
 
-    if (!context_find ("path"))
+    if (context_find ("path") == NULL)
 	free (path ("./", TFOLDER));
     if (!msgp)
 	msgs[msgp++] = listsw ? "all" :"cur";
--- nmh-0.27/uip/mhbuild.c.security	Sun Jun 21 21:41:42 1998
+++ nmh-0.27/uip/mhbuild.c	Sat Jul 18 16:30:56 1998
@@ -122,7 +122,7 @@
 {
     int sizesw = 1, headsw = 1;
     int *icachesw;
-    char *cp, buf[100];
+    char *cp, buf[BUFSIZ];
     char buffer[BUFSIZ], *compfile = NULL;
     char **ap, **argp, *arguments[MAXARGS];
     CT ct, cts[2];
@@ -133,13 +133,13 @@
 #endif
     invo_name = r1bindex (argv[0], '/');
 
-    if ((cp = context_find (invo_name))) {
+    if ((cp = context_find (invo_name)) != NULL) {
 	ap = brkstring (cp = getcpy (cp), " ", "\n");
-	ap = copyip (ap, arguments);
+	ap = copyip_n(ap, arguments, MAXARGS);
     } else {
 	ap = arguments;
     }
-    copyip (argv + 1, ap);
+    copyip_n (argv + 1, ap, MAXARGS);
     argp = arguments;
 
     while ((cp = *argp++)) {
@@ -161,7 +161,7 @@
 		adios (NULL, "-%s unknown", cp);
 
 	    case HELPSW: 
-		sprintf (buf, "%s [switches] file", invo_name);
+		snprintf (buf,  BUFSIZ, "%s [switches] file", invo_name);
 		print_help (buf, switches, 1);
 		done (1);
 	    case VERSIONSW:
@@ -272,13 +272,13 @@
     }
 
     /* Check for public cache location */
-    sprintf (buf, "%s-cache", invo_name);
+    snprintf (buf, BUFSIZ, "%s-cache", invo_name);
     if ((cache_public = context_find (buf)) && *cache_public != '/')
 	cache_public = NULL;
 
     /* Check for private cache location */
-    sprintf (buf, "%s-private-cache", invo_name);
-    if (!(cache_private = context_find (buf)))
+    snprintf (buf, BUFSIZ, "%s-private-cache", invo_name);
+    if ((cache_private = context_find (buf)) == NULL)
 	cache_private = ".cache";
     cache_private = getcpy (m_maildir (cache_private));
 
@@ -287,13 +287,13 @@
      * will store temporary files there.  Else we
      * store them in standard nmh directory.
      */
-    sprintf (buf, "%s-storage", invo_name);
+    snprintf (buf, BUFSIZ,"%s-storage", invo_name);
     if ((cp = context_find (buf)) && *cp)
 	tmp = concat (cp, "/", invo_name, NULL);
     else
 	tmp = add (m_maildir (invo_name), NULL);
 
-    if (!context_find ("path"))
+    if (context_find ("path") == NULL)
 	free (path ("./", TFOLDER));
 
     /* Check if we have a file to process */
@@ -359,7 +359,7 @@
 	list_all_messages (cts, headsw, sizesw, verbosw, debugsw);
 
     /* Rename composition draft */
-    sprintf (buffer, "%s.orig", m_backup (compfile));
+    snprintf (buffer, BUFSIZ, "%s.orig", m_backup (compfile));
     if (rename (compfile, buffer) == NOTOK)
 	adios (compfile, "unable to rename %s to", buffer);
 
--- nmh-0.27/uip/mhlsbr.c.security	Mon May 25 02:32:59 1998
+++ nmh-0.27/uip/mhlsbr.c	Sat Jul 18 14:04:48 1998
@@ -294,7 +294,7 @@
     int width = 0, vecp = 0, i;
     char *cp, *folder = NULL;
     char *form = NULL, **ap, **argp;
-    char buf[80], *arguments[MAXARGS], *files[MAXARGS];
+    char buf[BUFSIZ], *arguments[MAXARGS], *files[MAXARGS];
 
     invo_name = r1bindex (argv[0], '/');
 
@@ -303,11 +303,11 @@
 
     if ((cp = context_find (invo_name)) != NULL) {
 	ap = brkstring (getcpy (cp), " ", "\n");
-	ap = copyip (ap, arguments);
+	ap = copyip_n (ap, arguments, MAXARGS);
     } else {
 	ap = arguments;
     }
-    copyip (argv + 1, ap);
+    copyip_n(argv + 1, ap, MAXARGS);
     argp = arguments;
 
     if ((cp = getenv ("FACEPROC")))
@@ -324,7 +324,7 @@
 		    adios (NULL, "-%s unknown\n", cp);
 
 		case HELPSW: 
-		    sprintf (buf, "%s [switches] [files ...]", invo_name);
+		    snprintf (buf, BUFSIZ, "%s [switches] [files ...]", invo_name);
 		    print_help (buf, mhlswitches, 1);
 		    done (1);
 		case VERSIONSW:
@@ -460,10 +460,10 @@
 	if (digest) {
 	    printf ("%s", delim4);
 	    if (volume == 0) {
-	       sprintf (buf, "End of %s Digest\n", digest);
+	       snprintf (buf, BUFSIZ, "End of %s Digest\n", digest);
 	     }
 	    else
-	      sprintf (buf, "End of %s Digest [Volume %d Issue %d]\n", digest, volume, issue);
+	      snprintf (buf, BUFSIZ, "End of %s Digest [Volume %d Issue %d]\n", digest, volume, issue);
 	    i = strlen (buf);
 	    for (cp = buf + i; i > 1; i--)
 		*cp++ = '*';
@@ -636,7 +636,7 @@
 
     if (!*parptr)
 	return 0;
-    strcpy (name, parse ());
+    strncpy (name, parse (), NAMESZ);
 
     if (!strcasecmp (name, "component")) {
 	if (ptos (name, &c1->c_text))
@@ -744,7 +744,7 @@
     char *cp;
     static char result[NAMESZ];
 
-    for (cp = result; *parptr; parptr++) {
+    for (cp = result; *parptr; parptr++ && cp-result < NAMESZ) {
 	c = *parptr;
 	if (isalnum (c)
 		|| c == '.'
--- nmh-0.27/uip/mhn.c.security	Fri Jun 19 03:24:28 1998
+++ nmh-0.27/uip/mhn.c	Sat Jul 18 16:31:50 1998
@@ -218,7 +218,7 @@
     int sizesw = 1, headsw = 1;
     int msgp = 0, msgnum, *icachesw;
     char *cp, *file = NULL, *folder = NULL;
-    char *maildir, buf[100], **ap, **argp;
+    char *maildir, buf[BUFSIZ], **ap, **argp;
     char *arguments[MAXARGS], *msgs[MAXARGS];
     struct msgs *mp = NULL;
     CT ct, *ctp;
@@ -228,13 +228,13 @@
     setlocale(LC_ALL, "");
 #endif
     invo_name = r1bindex (argv[0], '/');
-    if ((cp = context_find (invo_name))) {
+    if ((cp = context_find (invo_name)) != NULL) {
 	ap = brkstring (cp = getcpy (cp), " ", "\n");
-	ap = copyip (ap, arguments);
+	ap = copyip_n(ap, arguments, MAXARGS);
     } else {
 	ap = arguments;
     }
-    copyip (argv + 1, ap);
+    copyip_n(argv + 1, ap, MAXARGS);
     argp = arguments;
 
     while ((cp = *argp++)) {
@@ -247,7 +247,7 @@
 		adios (NULL, "-%s unknown", cp);
 
 	    case HELPSW: 
-		sprintf (buf, "%s [+folder] [msgs] [switches]", invo_name);
+		snprintf (buf, BUFSIZ, "%s [+folder] [msgs] [switches]", invo_name);
 		print_help (buf, switches, 1);
 		done (1);
 	    case VERSIONSW:
@@ -468,13 +468,13 @@
     }
 
     /* Check for public cache location */
-    sprintf (buf, "%s-cache", invo_name);
+    snprintf (buf, BUFSIZ, "%s-cache", invo_name);
     if ((cache_public = context_find (buf)) && *cache_public != '/')
 	cache_public = NULL;
 
     /* Check for private cache location */
-    sprintf (buf, "%s-private-cache", invo_name);
-    if (!(cache_private = context_find (buf)))
+    snprintf (buf, BUFSIZ,"%s-private-cache", invo_name);
+    if ((cache_private = context_find (buf)) == NULL)
 	cache_private = ".cache";
     cache_private = getcpy (m_maildir (cache_private));
 
@@ -488,13 +488,13 @@
      * then store temporary files there.  Else we
      * store them in standard nmh directory.
      */
-    sprintf (buf, "%s-storage", invo_name);
+    snprintf (buf, BUFSIZ, "%s-storage", invo_name);
     if ((cp = context_find (buf)) && *cp)
 	tmp = concat (cp, "/", invo_name, NULL);
     else
 	tmp = add (m_maildir (invo_name), NULL);
 
-    if (!context_find ("path"))
+    if (context_find ("path") == NULL)
 	free (path ("./", TFOLDER));
 
     /*
--- nmh-0.27/uip/mhmail.c.security	Wed Jan 14 21:10:29 1998
+++ nmh-0.27/uip/mhmail.c	Sat Jul 18 14:04:48 1998
@@ -73,7 +73,7 @@
 		    adios (NULL, "-%s unknown", cp);
 
 		case HELPSW: 
-		    sprintf (buf, "%s [addrs ... [switches]]", invo_name);
+		    snprintf (buf, BUFSIZ, "%s [addrs ... [switches]]", invo_name);
 		    print_help (buf, switches, 0);
 		    done (1);
 		case VERSIONSW:
--- nmh-0.27/uip/mhparam.c.security	Thu Jan 22 17:53:01 1998
+++ nmh-0.27/uip/mhparam.c	Sat Jul 18 16:32:07 1998
@@ -83,17 +83,17 @@
     int i, compp = 0, missed = 0;
     int all = 0, debug = 0;
     int components = -1;
-    char *cp, buf[100], **ap, **argp;
+    char *cp, buf[BUFSIZ], **ap, **argp;
     char *arguments[MAXARGS], *comps[MAXARGS];
 
     invo_name = r1bindex (argv[0], '/');
-    if ((cp = context_find (invo_name))) {
+    if ((cp = context_find (invo_name)) != NULL) {
 	ap = brkstring (cp = getcpy (cp), " ", "\n");
-	ap = copyip (ap, arguments);
+	ap = copyip_n (ap, arguments, MAXARGS);
     } else {
 	ap = arguments;
     }
-    copyip (argv + 1, ap);
+    copyip_n (argv + 1, ap, MAXARGS);
     argp = arguments;
 
     while ((cp = *argp++)) {
@@ -106,7 +106,7 @@
 		    adios (NULL, "-%s unknown", cp);
 
 		case HELPSW: 
-		    sprintf (buf, "%s [profile-components] [switches]", invo_name);
+		    snprintf (buf, BUFSIZ, "%s [profile-components] [switches]", invo_name);
 		    print_help (buf, switches, 1);
 		    done (1);
 		case VERSIONSW:
--- nmh-0.27/uip/mhpath.c.security	Wed Jan 14 21:11:15 1998
+++ nmh-0.27/uip/mhpath.c	Sat Jul 18 16:32:32 1998
@@ -28,7 +28,7 @@
     int i, maxmsgs, msgp = 0;
     char *cp, *maildir, *folder = NULL;
     char **ap, **argp, **msgs;
-    char *arguments[MAXARGS], buf[100];
+    char *arguments[MAXARGS], buf[BUFSIZ];
     struct msgs *mp;
 
 #ifdef LOCALE
@@ -37,11 +37,11 @@
     invo_name = r1bindex (argv[0], '/');
     if ((cp = context_find (invo_name)) != NULL) {
 	ap = brkstring (cp = getcpy (cp), " ", "\n");
-	ap = copyip (ap, arguments);
+	ap = copyip_n(ap, arguments, MAXARGS);
     } else {
 	ap = arguments;
     }
-    copyip (argv + 1, ap);
+    copyip_n(argv + 1, ap, MAXARGS);
     argp = arguments;
 
     /* Allocate initial space to record message/sequence names */
@@ -59,7 +59,7 @@
 		    adios (NULL, "-%s unknown", cp);
 
 		case HELPSW: 
-		    sprintf (buf, "%s [+folder] [msgs] [switches]", invo_name);
+		    snprintf (buf, BUFSIZ ,"%s [+folder] [msgs] [switches]", invo_name);
 		    print_help (buf, switches, 1);
 		    done (1);
 		case VERSIONSW:
@@ -82,7 +82,7 @@
 	}
     }
 
-    if (!context_find ("path"))
+    if (context_find ("path") == NULL)
 	free (path ("./", TFOLDER));
 
     if (!folder)
--- nmh-0.27/uip/msgchk.c.security	Sat May 16 17:29:34 1998
+++ nmh-0.27/uip/msgchk.c	Sat Jul 18 16:33:01 1998
@@ -122,13 +122,13 @@
 	snoop++;
 #endif
 
-    if ((cp = context_find (invo_name))) {
+    if ((cp = context_find (invo_name)) != NULL) {
 	ap = brkstring (cp = getcpy (cp), " ", "\n");
-	ap = copyip (ap, arguments);
+	ap = copyip_n(ap, arguments, MAXARGS);
     } else {
 	ap = arguments;
     }
-    copyip (argv + 1, ap);
+    copyip_n (argv + 1, ap, MAXARGS);
     argp = arguments;
 
     while ((cp = *argp++)) {
@@ -173,7 +173,8 @@
 		case USERSW: 
 		    if (!(cp = *argp++) || *cp == '-')
 			adios (NULL, "missing argument to %s", argp[-2]);
-		    vec[vecp++] = cp;
+		    if (vecp < 50)
+			vec[vecp++] = cp;
 		    continue;
 
 		case APOPSW: 
@@ -194,7 +195,8 @@
 		    snoop++;
 		    continue;
 	    }
-	vec[vecp++] = cp;
+	if (vecp<50)
+		vec[vecp++] = cp;
     }
 
 #ifdef POP
--- nmh-0.27/uip/msh.c.security	Mon Jun 22 16:12:35 1998
+++ nmh-0.27/uip/msh.c	Sat Jul 18 16:33:12 1998
@@ -236,7 +236,7 @@
 {
     int	id = 0, scansw = 0, vmh1 = 0, vmh2 = 0;
     char *cp, *file = NULL, *folder = NULL;
-    char **ap, **argp, buf[80];
+    char **ap, **argp, buf[BUFSIZ];
     char *arguments[MAXARGS];
 #ifdef BPOP
     int	pmsh1 = 0, pmsh2 = 0;
@@ -247,13 +247,13 @@
 #endif
     invo_name = r1bindex (argv[0], '/');
     mts_init (invo_name);
-    if ((cp = context_find (invo_name))) {
+    if ((cp = context_find (invo_name)) != NULL) {
 	ap = brkstring (cp = getcpy (cp), " ", "\n");
-	ap = copyip (ap, arguments);
+	ap = copyip_n (ap, arguments, MAXARGS);
     } else {
 	ap = arguments;
     }
-    copyip (argv + 1, ap);
+    copyip_n (argv + 1, ap, MAXARGS);
     argp = arguments;
 
     while ((cp = *argp++)) {
@@ -266,7 +266,7 @@
 		    adios (NULL, "-%s unknown", cp);
 
 		case HELPSW: 
-		    sprintf (buf, "%s [switches] file", invo_name);
+		    snprintf (buf, BUFSIZ, "%s [switches] file", invo_name);
 		    print_help (buf, switches, 1);
 		    done (1);
 		case VERSIONSW:
@@ -486,7 +486,7 @@
     register struct Cmd *cmdp;
     static int once_only = ADVCMD;
 
-    sprintf (prompt, myprompt, invo_name);
+    snprintf (prompt, BUFSIZ, myprompt, invo_name);
     cmdp = &typein;
 
     for (;;) {
@@ -537,7 +537,7 @@
 	    case SORTCMD: 
 		if ((cp = context_find (cmd_name)) != NULL) {
 		    ap = brkstring (cp = getcpy (cp), " ", "\n");
-		    ap = copyip (ap, vec);
+		    ap = copyip_n (ap, vec, MAXARGS);
 		}
 		else
 		    ap = vec;
@@ -548,7 +548,7 @@
 		ap = vec;
 		break;
 	}
-	copyip (cmdp->args + 1, ap);
+	copyip_n (cmdp->args + 1, ap, MAXARGS);
 
 	m_init ();
 
@@ -726,7 +726,7 @@
 
 #ifdef BPOP
     if (pmsh) {
-	strcpy (tmpfil, m_tmpfil (invo_name));
+	strncpy (tmpfil, m_tmpfil (invo_name), BUFSIZ);
 	if ((fp = fopen (tmpfil, "w+")) == NULL)
 	    padios (tmpfil, "unable to create");
 	unlink (tmpfil);
@@ -1126,7 +1126,7 @@
 {
     char buffer[BUFSIZ];
 
-    sprintf (buffer, "%d-%d", low, hgh);
+    snprintf (buffer, BUFSIZ, "%d-%d", low, hgh);
     scanstring (buffer);
 }
 
@@ -1138,7 +1138,7 @@
 
     if ((cp = context_find (cmd_name = "scan")) != NULL) {
 	ap = brkstring (cp = getcpy (cp), " ", "\n");
-	ap = copyip (ap, vec);
+	ap = copyip_n (ap, vec, MAXARGS);
     }
     else
 	ap = vec;
@@ -1291,7 +1291,7 @@
 write_ids (void)
 {
     int i = 0, seqnum, msgnum;
-    char buffer[80];
+    char buffer[BUFSIZ];
 
     if (pfd <= 1)
 	return;
@@ -1305,7 +1305,7 @@
 		    break;
 	    }
 
-    sprintf (buffer, "%d %d\n", i, Msgs[mp->hghmsg].m_bboard_id);
+    snprintf (buffer, BUFSIZ, "%d %d\n", i, Msgs[mp->hghmsg].m_bboard_id);
     write (pfd, buffer, sizeof(buffer));
     close (pfd);
     pfd = NOTOK;
@@ -1381,8 +1381,8 @@
     if (rename (tmpfil, mp->foldpath) == NOTOK)
 	admonish (mp->foldpath, "unable to rename %s to", tmpfil);
     else {
-	strcpy (map1, map_name (tmpfil));
-	strcpy (map2, map_name (mp->foldpath));
+	strncpy (map1, map_name (tmpfil), BUFSIZ);
+	strncpy (map2, map_name (mp->foldpath), BUFSIZ);
 
 	if (rename (map1, map2) == NOTOK) {
 	    admonish (map2, "unable to rename %s to", map1);
@@ -1662,7 +1662,7 @@
 	    return NOTOK;
 	}
 
-    sprintf (path, "%s/%s", pp, cp ? cp : "");
+    snprintf (path, BUFSIZ, "%s/%s", pp, cp ? cp : "");
     strcpy (redirect, path);
     return OK;
 }
--- nmh-0.27/uip/mshcmds.c.security	Sun Feb  1 18:28:37 1998
+++ nmh-0.27/uip/mshcmds.c	Sat Jul 18 14:04:48 1998
@@ -76,7 +76,7 @@
     char *vec[MAXARGS];
 
     vec[0] = r1bindex (pgm, '/');
-    copyip (args, vec + 1);
+    copyip_n (args, vec + 1, MAXARGS);
 
     if (fmsh) {
 	context_del (pfolder);
@@ -164,7 +164,7 @@
 		    fprintf (stderr, "-%s unknown\n", cp);
 		    return;
 		case DIHELP: 
-		    sprintf (buf, "%s [msgs] [switches]", cmd_name);
+		    snprintf (buf, BUFSIZ, "%s [msgs] [switches]", cmd_name);
 		    print_help (buf, distswit, 1);
 		    return;
 
@@ -266,7 +266,7 @@
 		    fprintf (stderr, "-%s unknown\n", cp);
 		    return;
 		case EXHELP: 
-		    sprintf (buf, "%s [msgs] [switches]", cmd_name);
+		    snprintf (buf, BUFSIZ, "%s [msgs] [switches]", cmd_name);
 		    print_help (buf, explswit, 1);
 		    return;
 
@@ -495,7 +495,7 @@
 		    fprintf (stderr, "-%s unknown\n", cp);
 		    return;
 		case FIHELP: 
-		    sprintf (buf, "%s +folder... [msgs] [switches]", cmd_name);
+		    snprintf (buf, BUFSIZ, "%s +folder... [msgs] [switches]", cmd_name);
 		    print_help (buf, fileswit, 1);
 		    return;
 
@@ -657,7 +657,7 @@
 		    fprintf (stderr, "-%s unknown\n", cp);
 		    return;
 		case FLHELP: 
-		    sprintf (buf, "%s [+folder] [msg] [switches]", cmd_name);
+		    snprintf (buf, BUFSIZ, "%s [+folder] [msg] [switches]", cmd_name);
 		    print_help (buf, foldswit, 1);
 		    return;
 
@@ -720,7 +720,7 @@
 	    }
 	}
 	else {
-	    strcpy (buf, folder);
+	    strncpy (buf, folder, BUFSIZ);
 	    if (expand (buf) == NOTOK)
 		return;
 	    folder = buf;
@@ -874,7 +874,7 @@
 		    fprintf (stderr, "-%s unknown\n", cp);
 		    return;
 		case FOHELP: 
-		    sprintf (buf, "%s [msgs] [switches]", cmd_name);
+		    snprintf (buf, BUFSIZ, "%s [msgs] [switches]", cmd_name);
 		    print_help (buf, forwswit, 1);
 		    return;
 
@@ -929,7 +929,7 @@
     }
 
 					/* foil search of .mh_profile */
-    sprintf (buf, "%sXXXXXX", invo_name);
+    snprintf (buf, BUFSIZ, "%sXXXXXX", invo_name);
     vec[0] = (char *)mktemp (buf);
     vec[vecp++] = "-file";
     vec[vecp] = NULL;
@@ -941,7 +941,7 @@
     seq_setprev (mp);
 
     if (filter) {
-	strcpy (buf, filter);
+	strncpy (buf, filter, BUFSIZ);
 	if (expand (buf) == NOTOK)
 	    return;
 	if (access (filter = getcpy (etcpath (buf)), R_OK) == NOTOK) {
@@ -961,10 +961,10 @@
 forw (char *proc, char *filter, int vecp, char **vec)
 {
     int i, child_id, msgnum, msgcnt;
-    char tmpfil[80], *args[MAXARGS];
+    char tmpfil[BUFSIZ], *args[MAXARGS];
     FILE *out;
 
-    strcpy (tmpfil, m_tmpfil (invo_name));
+    strncpy (tmpfil, m_tmpfil (invo_name), sizeof(tmpfil));
     interrupted = 0;
     if (filter)
 	switch (child_id = fork ()) {
@@ -1132,7 +1132,7 @@
 		    fprintf (stderr, "-%s unknown\n", cp);
 		    return;
 		case MHELP: 
-		    sprintf (buf, "%s [msgs] [switches]", cmd_name);
+		    snprintf (buf, BUFSIZ, "%s [msgs] [switches]", cmd_name);
 		    print_help (buf, markswit, 1);
 		    return;
 
@@ -1355,7 +1355,7 @@
 		    fprintf (stderr, "-%s unknown\n", cp);
 		    return;
 		case MHNHELPSW:
-		    sprintf (buf, "%s [msgs] [switches]", cmd_name);
+		    snprintf (buf, BUFSIZ, "%s [msgs] [switches]", cmd_name);
 		    print_help (buf, mhnswit, 1);
 		    return;
 
@@ -1464,7 +1464,7 @@
 		    fprintf (stderr, "-%s unknown\n", cp);
 		    return;
 		case PAHELP: 
-		    sprintf (buf, "%s [msgs] [switches]", cmd_name);
+		    snprintf (buf, BUFSIZ, "%s [msgs] [switches]", cmd_name);
 		    print_help (buf, packswit, 1);
 		    return;
 
@@ -1641,7 +1641,7 @@
 		    fprintf (stderr, "-%s unknown\n", cp);
 		    return;
 		case PIHELP: 
-		    sprintf (buf, "%s [msgs] [switches]", cmd_name);
+		    snprintf (buf, BUFSIZ, "%s [msgs] [switches]", cmd_name);
 		    print_help (buf, pickswit, 1);
 		    return;
 
@@ -1827,7 +1827,7 @@
 		    fprintf (stderr, "-%s unknown\n", cp);
 		    return;
 		case REHELP: 
-		    sprintf (buf, "%s [msgs] [switches]", cmd_name);
+		    snprintf (buf, BUFSIZ, "%s [msgs] [switches]", cmd_name);
 		    print_help (buf, replswit, 1);
 		    return;
 
@@ -1917,7 +1917,7 @@
 		    fprintf (stderr, "-%s unknown\n", cp);
 		    return;
 		case RMHELP: 
-		    sprintf (buf, "%s [msgs] [switches]", cmd_name);
+		    snprintf (buf, BUFSIZ, "%s [msgs] [switches]", cmd_name);
 		    print_help (buf, rmmswit, 1);
 		    return;
 	    }
@@ -1966,7 +1966,7 @@
 	else
 	    for (msgnum = mp->lowsel; msgnum <= mp->hghsel; msgnum++)
 		if (is_selected (mp, msgnum)) {
-		    strcpy (buffer, m_backup (cp = m_name (msgnum)));
+		    strncpy (buffer, m_backup (cp = m_name (msgnum)),sizeof(buffer));
 		    if (rename (cp, buffer) == NOTOK)
 			admonish (buffer, "unable to rename %s to", cp);
 		}
@@ -2058,7 +2058,7 @@
 		    fprintf (stderr, "-%s unknown\n", cp);
 		    return;
 		case SCHELP: 
-		    sprintf (buf, "%s [msgs] [switches]", cmd_name);
+		    snprintf (buf, BUFSIZ, "%s [msgs] [switches]", cmd_name);
 		    print_help (buf, scanswit, 1);
 		    return;
 
@@ -2304,7 +2304,7 @@
 		    vec[vecp++] = --cp;
 		    continue;
 		case SHHELP: 
-		    sprintf (buf, "%s %s[switches] [switches for showproc]",
+		    snprintf (buf, BUFSIZ, "%s %s[switches] [switches for showproc]",
 			    cmd_name, mode ? NULL : "[msgs] ");
 		    print_help (buf, showswit, 1);
 		    return;
@@ -2735,7 +2735,7 @@
 		    fprintf (stderr, "-%s unknown\n", cp);
 		    return;
 		case SOHELP: 
-		    sprintf (buf, "%s [msgs] [switches]", cmd_name);
+		    snprintf (buf, BUFSIZ, "%s [msgs] [switches]", cmd_name);
 		    print_help (buf, sortswit, 1);
 		    return;
 
@@ -2972,7 +2972,7 @@
 process (int msgnum, char *proc, int vecp, char **vec)
 {
     int	child_id, status;
-    char tmpfil[80];
+    char tmpfil[BUFSIZ];
     FILE *out;
 
     if (fmsh) {
@@ -2984,14 +2984,14 @@
 	goto ready;
     }
 
-    strcpy (tmpfil, m_scratch ("", invo_name));
+    strncpy (tmpfil, m_scratch ("", invo_name), BUFSIZ);
     if ((out = fopen (tmpfil, "w")) == NULL) {
 	int     olderr;
 	extern int  errno;
-	char    newfil[80];
+	char    newfil[BUFSIZ];
 
 	olderr = errno;
-	strcpy (newfil, m_tmpfil (invo_name));
+	strncpy (newfil, m_tmpfil (invo_name), BUFSIZ);
 	if ((out = fopen (newfil, "w")) == NULL) {
 	    errno = olderr;
 	    advise (tmpfil, "unable to create temporary file");
--- nmh-0.27/uip/packf.c.security	Wed Jan 14 21:14:15 1998
+++ nmh-0.27/uip/packf.c	Sat Jul 18 16:33:27 1998
@@ -37,7 +37,7 @@
 main (int argc, char **argv)
 {
     int msgp = 0, fd, msgnum;
-    char *cp, *maildir, *msgnam, *folder = NULL, buf[100];
+    char *cp, *maildir, *msgnam, *folder = NULL, buf[BUFSIZ];
     char **ap, **argp, *arguments[MAXARGS], *msgs[MAXARGS];
     struct msgs *mp;
     struct stat st;
@@ -46,13 +46,13 @@
     setlocale(LC_ALL, "");
 #endif
     invo_name = r1bindex (argv[0], '/');
-    if ((cp = context_find (invo_name))) {
+    if ((cp = context_find (invo_name)) != NULL) {
 	ap = brkstring (cp = getcpy (cp), " ", "\n");
-	ap = copyip (ap, arguments);
+	ap = copyip_n(ap, arguments, MAXARGS);
     } else {
 	ap = arguments;
     }
-    copyip (argv + 1, ap);
+    copyip_n(argv + 1, ap, MAXARGS);
     argp = arguments;
 
     while ((cp = *argp++)) {
@@ -65,7 +65,7 @@
 		    adios (NULL, "-%s unknown", cp);
 
 		case HELPSW: 
-		    sprintf (buf, "%s [+folder] [msgs] [switches]", invo_name);
+		    snprintf (buf, BUFSIZ, "%s [+folder] [msgs] [switches]", invo_name);
 		    print_help (buf, switches, 1);
 		    done (1);
 		case VERSIONSW:
@@ -94,7 +94,8 @@
 		adios (NULL, "only one folder at a time!");
 	    folder = path (cp + 1, *cp == '+' ? TFOLDER : TSUBCWF);
 	} else {
-	    msgs[msgp++] = cp;
+	    if(msgp<MAXARGS-1)
+	    	msgs[msgp++] = cp;
 	}
     }
 
@@ -110,7 +111,7 @@
 	free (cp);
     }
 
-    if (!context_find ("path"))
+    if (context_find ("path") == NULL)
 	free (path ("./", TFOLDER));
     if (!msgp)
 	msgs[msgp++] = "all";
--- nmh-0.27/uip/pick.c.security	Wed Jul  1 14:04:50 1998
+++ nmh-0.27/uip/pick.c	Sat Jul 18 16:23:13 1998
@@ -69,7 +69,7 @@
 {
     int publicsw = -1, zerosw = 1, msgp = 0;
     int seqp = 0, vecp = 0, lo, hi, msgnum;
-    char *maildir, *folder = NULL, buf[100];
+    char *maildir, *folder = NULL, buf[BUFSIZ];
     char *cp, **ap, **argp, *arguments[MAXARGS];
     char *msgs[MAXARGS], *seqs[NUMATTRS + 1], *vec[MAXARGS];
     struct msgs *mp;
@@ -79,19 +79,20 @@
     setlocale(LC_ALL, "");
 #endif
     invo_name = r1bindex (argv[0], '/');
-    if ((cp = context_find (invo_name))) {
+    if ((cp = context_find (invo_name)) != NULL) {
 	ap = brkstring (cp = getcpy (cp), " ", "\n");
-	ap = copyip (ap, arguments);
+	ap = copyip_n(ap, arguments, MAXARGS);
     } else {
 	ap = arguments;
     }
-    copyip (argv + 1, ap);
+    copyip_n(argv + 1, ap, MAXARGS);
     argp = arguments;
 
     while ((cp = *argp++)) {
 	if (*cp == '-') {
 	    if (*++cp == '-') {
-		vec[vecp++] = --cp;
+		if(vecp<MAXARGS-1)
+			vec[vecp++] = --cp;
 		goto pattern;
 	    }
 	    switch (smatch (cp, switches)) {
@@ -102,7 +103,7 @@
 		    adios (NULL, "-%s unknown", cp);
 
 		case HELPSW: 
-		    sprintf (buf, "%s [+folder] [msgs] [switches]", invo_name);
+		    snprintf (buf, BUFSIZ,"%s [+folder] [msgs] [switches]", invo_name);
 		    print_help (buf, switches, 1);
 		    listsw = 0;	/* HACK */
 		    done (1);
@@ -119,11 +120,13 @@
 		case AFTRSW: 
 		case BEFRSW: 
 		case SRCHSW: 
-		    vec[vecp++] = --cp;
+		    if (vecp<MAXARGS-1)
+			vec[vecp++] = --cp;
 pattern:
 		    if (!(cp = *argp++))/* allow -xyz arguments */
 			adios (NULL, "missing argument to %s", argp[-2]);
-		    vec[vecp++] = cp;
+		    if (vecp<MAXARGS-1)
+			vec[vecp++] = cp;
 		    continue;
 		case OTHRSW: 
 		    adios (NULL, "internal error!");
@@ -133,7 +136,8 @@
 		case NOTSW:
 		case LBRSW:
 		case RBRSW:
-		    vec[vecp++] = --cp;
+		    if(vecp<MAXARGS-1)
+		    	vec[vecp++] = --cp;
 		    continue;
 
 		case SEQSW: 
@@ -171,12 +175,12 @@
 		adios (NULL, "only one folder at a time!");
 	    else
 		folder = path (cp + 1, *cp == '+' ? TFOLDER : TSUBCWF);
-	else
-	    msgs[msgp++] = cp;
+	else if(msgp<MAXARGS-1)
+	    	msgs[msgp++] = cp;
     }
     vec[vecp] = NULL;
 
-    if (!context_find ("path"))
+    if (context_find ("path") == NULL)
 	free (path ("./", TFOLDER));
 
     /*
--- nmh-0.27/uip/picksbr.c.security	Thu Jan 22 17:57:50 1998
+++ nmh-0.27/uip/picksbr.c	Sat Jul 18 14:04:48 1998
@@ -819,21 +819,21 @@
     if ((ts = dlocaltimenow ()) == NULL)
 	return NULL;
 
-    sprintf (buffer, "%s %s", ap, dtwszone (ts));
+    snprintf (buffer, BUFSIZ, "%s %s", ap, dtwszone (ts));
     if ((tw = dparsetime (buffer)) != NULL)
 	return tw;
 
-    sprintf (buffer, "%s %02d:%02d:%02d %s", ap,
+    snprintf (buffer, BUFSIZ, "%s %02d:%02d:%02d %s", ap,
 	    ts->tw_hour, ts->tw_min, ts->tw_sec, dtwszone (ts));
     if ((tw = dparsetime (buffer)) != NULL)
 	return tw;
 
-    sprintf (buffer, "%02d %s %04d %s",
+    snprintf (buffer, BUFSIZ, "%02d %s %04d %s",
 	    ts->tw_mday, tw_moty[ts->tw_mon], ts->tw_year, ap);
     if ((tw = dparsetime (buffer)) != NULL)
 	return tw;
 
-    sprintf (buffer, "%02d %s %04d %s %s",
+    snprintf (buffer, BUFSIZ, "%02d %s %04d %s %s",
 	    ts->tw_mday, tw_moty[ts->tw_mon], ts->tw_year,
 	    ap, dtwszone (ts));
     if ((tw = dparsetime (buffer)) != NULL)
--- nmh-0.27/uip/popi.c.security	Sat May 16 17:29:08 1998
+++ nmh-0.27/uip/popi.c	Sat Jul 18 16:33:50 1998
@@ -91,7 +91,7 @@
     int	autosw = 1, noisy = 1, rpop;
     char *cp, *maildir, *folder = NULL, *form = NULL;
     char *format = NULL, *host = NULL, *user = NULL;
-    char *pass = NULL, buf[100], **ap, **argp;
+    char *pass = NULL, buf[BUFSIZ], **ap, **argp;
     char *arguments[MAXARGS];
     struct stat st;
 
@@ -103,11 +103,11 @@
 	snoop++;
     if ((cp = context_find (invo_name)) != NULL) {
 	ap = brkstring (cp = getcpy (cp), " ", "\n");
-	ap = copyip (ap, arguments);
+	ap = copyip_n(ap, arguments, BUFSIZ);
     }
     else
 	ap = arguments;
-    copyip (argv + 1, ap);
+    copyip_n(argv + 1, ap, BUFSIZ);
     argp = arguments;
 
     rpop = getuid() && !geteuid();
@@ -122,7 +122,7 @@
 		    adios (NULL, "-%s unknown", cp);
 
 		case HELPSW: 
-		    sprintf (buf, "%s [+folder] [switches]", invo_name);
+		    snprintf (buf, BUFSIZ, "%s [+folder] [switches]", invo_name);
 		    print_help (buf, switches, 1);
 		    done (1);
 		case VERSIONSW:
@@ -209,7 +209,7 @@
 	setuid (getuid ());
 	ruserpass (host, &user, &pass);
     }
-    sprintf (mailname, "PO box for %s@%s", user, host);
+    snprintf (mailname, BUFSIZ, "PO box for %s@%s", user, host);
 
     if (pop_init (host, user, pass, snoop, rpop) == NOTOK)
 	adios (NULL, "%s", response);
@@ -219,7 +219,7 @@
     /* get new format string */
     nfs = new_fs (form, format, FORMAT);
 
-    if (!context_find ("path"))
+    if (context_find ("path") == NULL)
 	free (path ("./", TFOLDER));
     if (!folder)
 	folder = getfolder (0);
--- nmh-0.27/uip/popsbr.c.security	Thu Jan 22 17:58:27 1998
+++ nmh-0.27/uip/popsbr.c	Sat Jul 18 14:04:49 1998
@@ -83,24 +83,24 @@
     if ((cp = strchr (response, '<')) == NULL
 	    || (lp = strchr (cp, '>')) == NULL) {
 	sprintf (buffer, "APOP not available: %s", response);
-	strcpy (response, buffer);
+	strncpy (response, buffer, BUFSIZ);
 	return NULL;
     }
 
     *++lp = NULL;
-    sprintf (buffer, "%s%s", cp, pass);
+    snprintf (buffer, BUFSIZ, "%s%s", cp, pass);
 
     MD5Init (&mdContext);
     MD5Update (&mdContext, (unsigned char *) buffer,
 	       (unsigned int) strlen (buffer));
     MD5Final (digest, &mdContext);
 
-    sprintf (cp = buffer, "%s ", user);
+    snprintf (cp = buffer, BUFSIZ, "%s ", user);
     cp += strlen (cp);
     for (ep = (dp = digest) + sizeof digest / sizeof digest[0];
 	     dp < ep;
 	     cp += 2)
-	sprintf (cp, "%02x", *dp++ & 0xff);
+	snprintf (cp, BUFSIZ-(cp-buffer), "%02x", *dp++ & 0xff);
     *cp = NULL;
 
     return buffer;
@@ -136,7 +136,7 @@
 # ifndef KPOP
     if ((fd1 = client (host, "tcp", POPSERVICE, rpop, response)) == NOTOK)
 # else	/* KPOP */
-    sprintf (buffer, "%s/%s", POPSERVICE, "kpop");
+    snprintf (buffer, BUFSIZ, "%s/%s", POPSERVICE, "kpop");
     if ((fd1 = client (host, "tcp", buffer, rpop, response)) == NOTOK)
 # endif
 #else	/* NNTP */
@@ -148,9 +148,9 @@
 	char *s;
 
 	if ((s = strerror(errno)))
-	    sprintf (response, "unable to dup connection descriptor: %s", s);
+	    snprintf (response, BUFSIZ, "unable to dup connection descriptor: %s", s);
 	else
-	    sprintf (response, "unable to dup connection descriptor: unknown error");
+	    snprintf (response, BUFSIZ, "unable to dup connection descriptor: unknown error");
 	close (fd1);
 	return NOTOK;
     }
@@ -223,7 +223,7 @@
 
 #ifdef NNTP
     if (myname && *myname)
-	strcpy (xtnd_name, myname);	/* interface from bbc to msh */
+	strcpy (xtnd_name, myname, 512);	/* interface from bbc to msh */
 #endif	/* NNTP */
 
     if ((input = fdopen (in, "r")) == NULL
@@ -404,7 +404,7 @@
 
     if (result == NOTOK)
 	return NOTOK;
-    strcpy (buffer, response);
+    strncpy (buffer, response, BUFSIZ);
 
     for (;;)
 	switch (multiline ()) {
@@ -412,7 +412,7 @@
 		return NOTOK;
 
 	    case DONE: 
-		strcpy (response, buffer);
+		strncpy (response, buffer, BUFSIZ);
 		return OK;
 
 	    case OK: 
@@ -478,12 +478,12 @@
     va_start(ap, fmt);
 #ifndef NNTP
     /* needs to be fixed... va_end needs to be added */
-    sprintf (buffer, "XTND %s", fmt);
+    snprintf (buffer, BUFSIZ, "XTND %s", fmt);
     result = traverse (action, buffer, a, b, c, d);
     va_end(ap);
     return result;
 #else /* NNTP */
-    sprintf (buffer, fmt, a, b, c, d);
+    snprintf (buffer, BUFSIZ,  fmt, a, b, c, d);
     ap = brkstring (buffer, " ", "\n");	/* a hack, i know... */
 
     if (!strcasecmp(ap[0], "x-bboards")) {	/* XTND "X-BBOARDS group */
@@ -502,11 +502,11 @@
     if (!strcasecmp (ap[0], "bboards")) {
 
 	if (ap[1]) {			/* XTND "BBOARDS group" */
-	    sprintf (xtnd_name, "%s", ap[1]);		/* save the name */
+	    snprintf (xtnd_name, 512, "%s", ap[1]);		/* save the name */
 	    if (command("GROUP %s", xtnd_name) == NOTOK)
 		return NOTOK;
 
-	    strcpy (buffer, response);	/* action must ignore extra args */
+	    strncpy (buffer, response, BUFSIZ);	/* action must ignore extra args */
 	    ap = brkstring (response, " ", "\n");/* "211 nart first last g" */
 	    xtnd_first = atoi (ap[2]);
 	    xtnd_last  = atoi (ap[3]);
@@ -568,7 +568,7 @@
 {
     char *cp, buffer[BUFSIZ];
 
-    vsprintf (buffer, fmt, ap);
+    vsnprintf (buffer, BUFSIZ,  fmt, ap);
     if (poprint)
 	if (pophack) {
 	    if ((cp = strchr (buffer, ' ')))
@@ -625,10 +625,10 @@
 	if (buffer[TRMLEN] == 0)
 	    return DONE;
 	else
-	    strcpy (response, buffer + TRMLEN);
+	    strncpy (response, buffer + TRMLEN, BUFSIZ);
     }
     else
-	strcpy (response, buffer);
+	strncpy (response, buffer, BUFSIZ);
 
     return OK;
 }
--- nmh-0.27/uip/post.c.security	Mon May 25 02:28:20 1998
+++ nmh-0.27/uip/post.c	Sat Jul 18 14:04:49 1998
@@ -327,7 +327,7 @@
 		    adios (NULL, "-%s unknown", cp);
 
 		case HELPSW: 
-		    sprintf (buf, "%s [switches] file", invo_name);
+		    snprintf (buf, BUFSIZ, "%s [switches] file", invo_name);
 		    print_help (buf, switches, 0);
 		    done (1);
 		case VERSIONSW:
@@ -533,7 +533,7 @@
 	} else {
 	    strcpy (tmpfil, m_scratch ("", m_maildir (invo_name)));
 	    if ((out = fopen (tmpfil, "w")) == NULL) {
-		strcpy (tmpfil, m_tmpfil (invo_name));
+		strncpy (tmpfil, m_tmpfil (invo_name), BUFSIZ);
 		if ((out = fopen (tmpfil, "w")) == NULL)
 		    adios (tmpfil, "unable to create");
 	    }
@@ -728,7 +728,7 @@
     }
 
     nameoutput = linepos = 0;
-    sprintf (namep, "%s%s", !fill_in && (hdr->flags & HMNG) ? "Original-" : "", name);
+    snprintf (namep, BUFSIZ, "%s%s", !fill_in && (hdr->flags & HMNG) ? "Original-" : "", name);
 
     for (grp = 0, mp = tmpaddrs.m_next; mp; mp = np)
 	if (mp->m_nohost) {	/* also used to test (hdr->flags & HTRY) */
@@ -800,15 +800,15 @@
     mygid = getgid ();
     time (&tclock);
 
-    strcpy (from, adrsprintf (NULL, NULL));
+    strncpy (from, adrsprintf (NULL, NULL), BUFSIZ);
 
-    strcpy (myhost, LocalName ());
+    strncpy (myhost, LocalName (), BUFSIZ);
     for (cp = myhost; *cp; cp++)
 	*cp = uptolow (*cp);
 
     if ((cp = getfullname ()) && *cp) {
-	strcpy (sigbuf, cp);
-	sprintf (signature, "%s <%s>", sigbuf, adrsprintf (NULL, NULL));
+	strncpy (sigbuf, cp, BUFSIZ);
+	snprintf (signature, BUFSIZ, "%s <%s>", sigbuf, adrsprintf (NULL, NULL));
 	if ((cp = getname (signature)) == NULL)
 	    adios (NULL, "getname () failed -- you lose extraordinarily big");
 	if ((mp = getm (cp, NULL, 0, AD_HOST, NULL)) == NULL)
@@ -817,7 +817,7 @@
 	while (getname (""))
 	    continue;
     } else {
-	strcpy (signature, adrsprintf (NULL, NULL));
+	strncpy (signature, adrsprintf (NULL, NULL), BUFSIZ);
     }
 }
 
@@ -923,7 +923,7 @@
 	mp->m_pers = getcpy (aka);
     if (format) {
 	if (mp->m_gname && !fill_in)
-	    sprintf (cp = buffer, "%s;", mp->m_gname);
+	    snprintf (cp = buffer, BUFSIZ,"%s;", mp->m_gname);
 	else
 	    cp = adrformat (mp);
     }
@@ -1065,7 +1065,7 @@
     int i;
     char buffer[BUFSIZ];
 
-    sprintf (buffer, "%s\n", adrformat (mp));
+    snprintf (buffer, BUFSIZ, "%s\n", adrformat (mp));
     i = strlen (buffer);
 
     return (write (pfd, buffer, i) == i ? OK : NOTOK);
@@ -1103,7 +1103,7 @@
     char *vec[6];
     FILE *out;
 
-    strcpy (bccfil, m_tmpfil ("bccs"));
+    strncpy (bccfil, m_tmpfil ("bccs"), BUFSIZ);
     if ((out = fopen (bccfil, "w")) == NULL)
 	adios (bccfil, "unable to create");
     chmod (bccfil, 0600);
@@ -1423,19 +1423,19 @@
 	case LOCALHOST: 
 	    mbox = lp->m_mbox;
 	    host = lp->m_host;
-	    strcpy (addr, mbox);
+	    strncpy (addr, mbox, BUFSIZ);
 	    break;
 
 	case UUCPHOST: 
 	    mbox = auxformat (lp, 0);
 	    host = NULL;
-	    sprintf (addr, "%s!%s", lp->m_host, lp->m_mbox);
+	    snprintf (addr, BUFSIZ, "%s!%s", lp->m_host, lp->m_mbox);
 	    break;
 
 	default: 		/* let SendMail decide if the host is bad  */
 	    mbox = lp->m_mbox;
 	    host = lp->m_host;
-	    sprintf (addr, "%s at %s", mbox, host);
+	    snprintf (addr, BUFSIZ, "%s at %s", mbox, host);
 	    break;
     }
 
@@ -1634,7 +1634,7 @@
 	case LOCALHOST: 
 	    mbox = lp->m_mbox;
 	    host = LocalName ();
-	    strcpy (addr, mbox);
+	    strncpy (addr, mbox, BUFSIZ);
 	    break;
 
 	case UUCPHOST: 
@@ -1647,7 +1647,7 @@
 	default: 		/* let MMDF decide if the host is bad */
 	    mbox = lp->m_mbox;
 	    host = lp->m_host;
-	    sprintf (addr, "%s at %s", mbox, host);
+	    snprintf (addr, BUFSIZ, "%s at %s", mbox, host);
 	    break;
     }
 
@@ -1881,7 +1881,7 @@
 
 	case OK: 
 	    /* see if we need to add `+' */
-	    sprintf (fold, "%s%s",
+	    snprintf (fold, BUFSIZ,  "%s%s",
 		    *folder == '+' || *folder == '@' ? "" : "+", folder);
 
 	    /* now exec the fileproc */
@@ -1947,7 +1947,7 @@
     char buffer[BUFSIZ];
     va_list ap;
 
-    sprintf (buffer, "[%s]", rp_valstr (code));
+    snprintf (buffer, BUFSIZ, "[%s]", rp_valstr (code));
 
     va_start(ap, fmt);
     advertise (buffer, NULL, fmt, ap);
--- nmh-0.27/uip/prompter.c.security	Wed Jan 14 21:15:07 1998
+++ nmh-0.27/uip/prompter.c	Sat Jul 18 16:34:02 1998
@@ -110,13 +110,13 @@
     setlocale(LC_ALL, "");
 #endif
     invo_name = r1bindex (argv[0], '/');
-    if ((cp = context_find (invo_name))) {
+    if ((cp = context_find (invo_name)) != NULL) {
 	ap = brkstring (cp = getcpy (cp), " ", "\n");
-	ap = copyip (ap, arguments);
+	ap = copyip_n(ap, arguments, MAXARGS);
     } else {
 	ap = arguments;
     }
-    copyip (argv + 1, ap);
+    copyip_n(argv + 1, ap, MAXARGS);
     argp = arguments;
 
     while ((cp = *argp++))
@@ -129,7 +129,7 @@
 		    adios (NULL, "-%s unknown", cp);
 
 		case HELPSW: 
-		    sprintf (buffer, "%s [switches] file", invo_name);
+		    snprintf (buffer, BUFSIZ, "%s [switches] file", invo_name);
 		    print_help (buffer, switches, 1);
 		    done (1);
 		case VERSIONSW:
@@ -183,7 +183,7 @@
     if ((in = fopen (drft, "r")) == NULL)
 	adios (drft, "unable to open");
 
-    strcpy (tmpfil, m_tmpfil (invo_name));
+    strncpy (tmpfil, m_tmpfil (invo_name), BUFSIZ);
     if ((out = fopen (tmpfil, "w")) == NULL)
 	adios (tmpfil, "unable to create");
     chmod (tmpfil, 0600);
--- nmh-0.27/uip/rcvdist.c.security	Thu Jan 22 17:45:45 1998
+++ nmh-0.27/uip/rcvdist.c	Sat Jul 18 16:34:09 1998
@@ -36,7 +36,7 @@
 {
     pid_t child_id;
     int i, vecp = 1;
-    char *addrs = NULL, *cp, *form = NULL, buf[100];
+    char *addrs = NULL, *cp, *form = NULL, buf[BUFSIZ];
     char **ap, **argp, *arguments[MAXARGS], *vec[MAXARGS];
     register FILE *fp;
 
@@ -45,13 +45,13 @@
 #endif
     invo_name = r1bindex (argv[0], '/');
     mts_init (invo_name);
-    if ((cp = context_find (invo_name))) {
+    if ((cp = context_find (invo_name)) != NULL) {
 	ap = brkstring (cp = getcpy (cp), " ", "\n");
-	ap = copyip (ap, arguments);
+	ap = copyip_n (ap, arguments, MAXARGS);
     } else {
 	ap = arguments;
     }
-    copyip (argv + 1, ap);
+    copyip_n(argv + 1, ap, MAXARGS);
     argp = arguments;
 
     while ((cp = *argp++)) {
@@ -61,11 +61,12 @@
 		    ambigsw (cp, switches);
 		    done (1);
 		case UNKWNSW: 
-		    vec[vecp++] = --cp;
+		    if(vecp<MAXARGS-1)
+		    	vec[vecp++] = --cp;
 		    continue;
 
 		case HELPSW: 
-		    sprintf (buf, "%s [switches] [switches for postproc] address ...",
+		    snprintf (buf, BUFSIZ, "%s [switches] [switches for postproc] address ...",
 			    invo_name);
 		    print_help (buf, switches, 1);
 		    done (1);
@@ -87,12 +88,12 @@
 	    invo_name);
 
     umask (~m_gmprot ());
-    strcpy (tmpfil, m_tmpfil (invo_name));
+    strncpy (tmpfil, m_tmpfil (invo_name), BUFSIZ);
     if ((fp = fopen (tmpfil, "w+")) == NULL)
 	adios (tmpfil, "unable to create");
     cpydata (fileno (stdin), fileno (fp), "message", tmpfil);
     fseek (fp, 0L, SEEK_SET);
-    strcpy (drft, m_tmpfil (invo_name));
+    strncpy (drft, m_tmpfil (invo_name), BUFSIZ);
     rcvdistout (fp, form, addrs);
     fclose (fp);
 
--- nmh-0.27/uip/rcvpack.c.security	Wed Jan 14 21:15:42 1998
+++ nmh-0.27/uip/rcvpack.c	Sat Jul 18 16:34:16 1998
@@ -33,7 +33,7 @@
 main (int argc, char **argv)
 {
     int md;
-    char *cp, *file = NULL, buf[100];
+    char *cp, *file = NULL, buf[BUFSIZ];
     char **ap, **argp;
     char *arguments[MAXARGS];
 
@@ -42,13 +42,13 @@
 #endif
     invo_name = r1bindex (argv[0], '/');
     mts_init (invo_name);
-    if ((cp = context_find (invo_name))) {
+    if ((cp = context_find (invo_name)) != NULL) {
 	ap = brkstring (cp = getcpy (cp), " ", "\n");
-	ap = copyip (ap, arguments);
+	ap = copyip_n(ap, arguments, MAXARGS);
     } else {
 	ap = arguments;
     }
-    copyip (argv + 1, ap);
+    copyip_n(argv + 1, ap, MAXARGS);
     argp = arguments;
 
     while ((cp = *argp++)) {
@@ -61,7 +61,7 @@
 		    adios (NULL, "-%s unknown", cp);
 
 		case HELPSW: 
-		    sprintf (buf, "%s [switches] file", invo_name);
+		    snprintf (buf, BUFSIZ, "%s [switches] file", invo_name);
 		    print_help (buf, switches, 1);
 		    done (1);
 		case VERSIONSW:
--- nmh-0.27/uip/rcvstore.c.security	Wed Jan 14 21:15:57 1998
+++ nmh-0.27/uip/rcvstore.c	Sat Jul 18 16:34:31 1998
@@ -51,7 +51,7 @@
     int publicsw = -1, zerosw = 0;
     int create = 1, unseensw = 1;
     int fd, msgnum, seqp = 0;
-    char *cp, *maildir, *folder = NULL, buf[100];
+    char *cp, *maildir, *folder = NULL, buf[BUFSIZ];
     char **ap, **argp, *arguments[MAXARGS], *seqs[NUMATTRS+1];
     struct msgs *mp;
     struct stat st;
@@ -61,13 +61,13 @@
 #endif
     invo_name = r1bindex (argv[0], '/');
     mts_init (invo_name);
-    if ((cp = context_find (invo_name))) {
+    if ((cp = context_find (invo_name)) != NULL) {
 	ap = brkstring (cp = getcpy (cp), " ", "\n");
-	ap = copyip (ap, arguments);
+	ap = copyip_n(ap, arguments, MAXARGS);
     } else {
 	ap = arguments;
     }
-    copyip (argv + 1, ap);
+    copyip_n(argv + 1, ap, MAXARGS);
     argp = arguments;
 
     while ((cp = *argp++)) {
@@ -80,7 +80,7 @@
 		    adios (NULL, "-%s unknown", cp);
 
 		case HELPSW: 
-		    sprintf (buf, "%s [+folder] [switches]", invo_name);
+		    snprintf (buf, BUFSIZ,"%s [+folder] [switches]", invo_name);
 		    print_help (buf, switches, 1);
 		    done (1);
 		case VERSIONSW:
@@ -138,7 +138,7 @@
 
     seqs[seqp] = NULL;	/* NULL terminate list of sequences */
 
-    if (!context_find ("path"))
+    if (context_find ("path") == NULL)
 	free (path ("./", TFOLDER));
 
     /* if no folder is given, use default folder */
--- nmh-0.27/uip/rcvtty.c.security	Sat May 16 17:32:08 1998
+++ nmh-0.27/uip/rcvtty.c	Sat Jul 18 16:34:40 1998
@@ -77,7 +77,7 @@
 main (int argc, char **argv)
 {
     int md, vecp = 0;
-    char *cp, *user, buf[100], **ap;
+    char *cp, *user, buf[BUFSIZ], **ap;
     char **argp, *arguments[MAXARGS], *vec[MAXARGS];
     char tty[BUFSIZ];
     struct utmp ut;
@@ -88,13 +88,13 @@
 #endif
     invo_name = r1bindex (argv[0], '/');
     mts_init (invo_name);
-    if ((cp = context_find (invo_name))) {
+    if ((cp = context_find (invo_name)) != NULL) {
 	ap = brkstring (cp = getcpy (cp), " ", "\n");
-	ap = copyip (ap, arguments);
+	ap = copyip_n(ap, arguments, MAXARGS);
     } else {
 	ap = arguments;
     }
-    copyip (argv + 1, ap);
+    copyip_n(argv + 1, ap, BUFSIZ);
     argp = arguments;
 
     while ((cp = *argp++)) {
@@ -104,11 +104,12 @@
 		    ambigsw (cp, switches);
 		    done (1);
 		case UNKWNSW: 
-		    vec[vecp++] = --cp;
+		    if(vecp<MAXARGS-1)
+		    	vec[vecp++] = --cp;
 		    continue;
 
 		case HELPSW: 
-		    sprintf (buf, "%s [command ...]", invo_name);
+		    snprintf (buf, BUFSIZ, "%s [command ...]", invo_name);
 		    print_help (buf, switches, 1);
 		    done (1);
 		case VERSIONSW:
@@ -150,7 +151,8 @@
 
 	    }
 	}
-	vec[vecp++] = cp;
+	if(vecp<MAXARGS)
+		vec[vecp++] = cp;
     }
     vec[vecp] = 0;
 
@@ -251,7 +253,7 @@
     int fd;
     char *nfs, tmpfil[BUFSIZ];
 
-    strcpy (tmpfil, m_tmpfil (invo_name));
+    strncpy (tmpfil, m_tmpfil (invo_name), BUFSIZ);
     if ((fd = open (tmpfil, O_RDWR | O_CREAT | O_TRUNC, 0600)) == NOTOK)
 	return NOTOK;
     unlink (tmpfil);
@@ -278,7 +280,7 @@
     char buffer[BUFSIZ], ttyspec[BUFSIZ];
     struct stat st;
 
-    sprintf (ttyspec, "/dev/%s", tty);
+    snprintf (ttyspec, BUFSIZ, "/dev/%s", tty);
 
     /*
      * The mask depends on whether we are checking for
--- nmh-0.27/uip/refile.c.security	Wed Jan 14 21:16:26 1998
+++ nmh-0.27/uip/refile.c	Sat Jul 18 16:34:59 1998
@@ -60,7 +60,7 @@
     int	linkf = 0, preserve = 0, filep = 0;
     int foldp = 0, msgp = 0, isdf = 0;
     int i, msgnum;
-    char *cp, *folder = NULL, buf[100];
+    char *cp, *folder = NULL, buf[BUFSIZ];
     char **ap, **argp, *arguments[MAXARGS];
     char *filevec[NFOLDERS + 2];
     char **files = &filevec[1];	   /* leave room for remove_files:vec[0] */
@@ -72,13 +72,13 @@
     setlocale(LC_ALL, "");
 #endif
     invo_name = r1bindex (argv[0], '/');
-    if ((cp = context_find (invo_name))) {
+    if ((cp = context_find (invo_name)) != NULL) {
 	ap = brkstring (cp = getcpy (cp), " ", "\n");
-	ap = copyip (ap, arguments);
+	ap = copyip_n(ap, arguments, MAXARGS);
     } else {
 	ap = arguments;
     }
-    copyip (argv + 1, ap);
+    copyip_n(argv + 1, ap, MAXARGS);
     argp = arguments;
 
     while ((cp = *argp++)) {
@@ -91,7 +91,7 @@
 		    adios (NULL, "-%s unknown\n", cp);
 
 		case HELPSW: 
-		    sprintf (buf, "%s [msgs] [switches] +folder ...", invo_name);
+		    snprintf (buf, BUFSIZ, "%s [msgs] [switches] +folder ...", invo_name);
 		    print_help (buf, switches, 1);
 		    done (1);
 		case VERSIONSW:
@@ -149,11 +149,12 @@
 	    folders[foldp++].f_name =
 		    path (cp + 1, *cp == '+' ? TFOLDER : TSUBCWF);
 	} else {
-	    msgs[msgp++] = cp;
+	    if(msgp<MAXARGS-1)
+	    	msgs[msgp++] = cp;
 	}
     }
 
-    if (!context_find ("path"))
+    if (context_find ("path") == NULL)
 	free (path ("./", TFOLDER));
     if (foldp == 0)
 	adios (NULL, "no folder specified");
@@ -183,7 +184,7 @@
 	msgs[msgp++] = "cur";
     if (!folder)
 	folder = getfolder (1);
-    strcpy (maildir, m_maildir (folder));
+    strncpy (maildir, m_maildir (folder), BUFSIZ);
 
     if (chdir (maildir) == NOTOK)
 	adios (maildir, "unable to change directory to");
@@ -260,7 +261,7 @@
 
     for (fp = folders, ep = folders + nfolders; fp < ep; fp++) {
 	chdir (m_maildir (""));
-	strcpy (nmaildir, m_maildir (fp->f_name));
+	strncpy (nmaildir, m_maildir (fp->f_name), BUFSIZ);
 
 	if (stat (nmaildir, &st) == NOTOK) {
 	    if (errno != ENOENT)
--- nmh-0.27/uip/repl.c.security	Wed Jul  1 00:15:56 1998
+++ nmh-0.27/uip/repl.c	Sat Jul 18 16:35:15 1998
@@ -136,7 +136,7 @@
     int nedit = 0, nwhat = 0;
     char *cp, *cwd, *dp, *maildir, *file = NULL;
     char *folder = NULL, *msg = NULL, *dfolder = NULL;
-    char *dmsg = NULL, *ed = NULL, drft[BUFSIZ], buf[100];
+    char *dmsg = NULL, *ed = NULL, drft[BUFSIZ], buf[BUFSIZ];
     char **ap, **argp, *arguments[MAXARGS];
     struct msgs *mp = NULL;
     struct stat st;
@@ -150,13 +150,13 @@
     setlocale(LC_ALL, "");
 #endif
     invo_name = r1bindex (argv[0], '/');
-    if ((cp = context_find (invo_name))) {
+    if ((cp = context_find (invo_name)) != NULL) {
 	ap = brkstring (cp = getcpy (cp), " ", "\n");
-	ap = copyip (ap, arguments);
+	ap = copyip_n(ap, arguments, MAXARGS);
     } else {
 	ap = arguments;
     }
-    copyip (argv + 1, ap);
+    copyip_n(argv + 1, ap, MAXARGS);
     argp = arguments;
 
     while ((cp = *argp++)) {
@@ -169,7 +169,7 @@
 		    adios (NULL, "-%s unknown", cp);
 
 		case HELPSW: 
-		    sprintf (buf, "%s: [+folder] [msg] [switches]", invo_name);
+		    snprintf (buf, BUFSIZ, "%s: [+folder] [msg] [switches]", invo_name);
 		    print_help (buf, switches, 1);
 		    done (0);
 		case VERSIONSW:
@@ -326,7 +326,7 @@
 
     cwd = getcpy (pwd ());
 
-    if (!context_find ("path"))
+    if (context_find ("path") == NULL)
 	free (path ("./", TFOLDER));
     if (file && (msg || folder))
 	adios (NULL, "can't mix files and folders/msgs");
@@ -340,7 +340,7 @@
     /* Check if a draft exists */
     if (!buildsw && stat (drft, &st) != NOTOK) {
 #else
-    strcpy (drft, m_draft (dfolder, dmsg, NOUSE, &isdf));
+    strncpy (drft, m_draft (dfolder, dmsg, NOUSE, &isdf), BUFSIZ);
 
     /* Check if a draft exists */
     if (stat (drft, &st) != NOTOK) {
--- nmh-0.27/uip/replsbr.c.security	Wed Feb 25 17:36:41 1998
+++ nmh-0.27/uip/replsbr.c	Sat Jul 18 14:04:49 1998
@@ -338,7 +338,7 @@
     /* concatenate all the new addresses onto 'buf' */
     for (isgroup = 0; cp = getname (str); ) {
 	if ((mp = getm (cp, dfhost, dftype, AD_NAME, error)) == NULL) {
-	    sprintf (baddr, "\t%s -- %s\n", cp, error);
+	    snprintf (baddr, BUFSIZ, "\t%s -- %s\n", cp, error);
 	    badaddrs = add (baddr, badaddrs);
 	    continue;
 	}
@@ -390,7 +390,7 @@
 	return 0;
 
     if (querysw) {
-	sprintf (buffer, "Reply to %s? ", adrformat (np));
+	snprintf (buffer, BUFSIZ, "Reply to %s? ", adrformat (np));
 	if (!gans (buffer, anoyes))
 	return 0;
     }
--- nmh-0.27/uip/rmf.c.security	Fri May  8 15:50:27 1998
+++ nmh-0.27/uip/rmf.c	Sat Jul 18 16:35:35 1998
@@ -31,19 +31,19 @@
 {
     int defolder = 0, interactive = -1;
     char *cp, *folder = NULL, newfolder[BUFSIZ];
-    char buf[100], **ap, **argp, *arguments[MAXARGS];
+    char buf[BUFSIZ], **ap, **argp, *arguments[MAXARGS];
 
 #ifdef LOCALE
     setlocale(LC_ALL, "");
 #endif
     invo_name = r1bindex (argv[0], '/');
-    if ((cp = context_find (invo_name))) {
+    if ((cp = context_find (invo_name)) != NULL) {
 	ap = brkstring (cp = getcpy (cp), " ", "\n");
-	ap = copyip (ap, arguments);
+	ap = copyip_n (ap, arguments, MAXARGS);
     } else {
 	ap = arguments;
     }
-    copyip (argv + 1, ap);
+    copyip_n(argv + 1, ap, MAXARGS);
     argp = arguments;
 
     while ((cp = *argp++)) {
@@ -56,7 +56,7 @@
 		    adios (NULL, "-%s unknown", cp);
 
 		case HELPSW: 
-		    sprintf (buf, "%s [+folder] [switches]", invo_name);
+		    snprintf (buf, BUFSIZ,  "%s [+folder] [switches]", invo_name);
 		    print_help (buf, switches, 1);
 		    done (1);
 		case VERSIONSW:
@@ -81,7 +81,7 @@
 	}
     }
 
-    if (!context_find ("path"))
+    if (context_find ("path") == NULL)
 	free (path ("./", TFOLDER));
     if (!folder) {
 	folder = getfolder (1);
@@ -99,9 +99,9 @@
 	if (cp > newfolder)
 	    *cp = '\0';
 	else
-	    strcpy (newfolder, getfolder(0));
+	    strncpy (newfolder, getfolder(0), BUFSIZ);
     } else {
-	strcpy (newfolder, getfolder(0));
+	strncpy (newfolder, getfolder(0), BUFSIZ);
     }
 
     if (interactive) {
@@ -134,7 +134,7 @@
 		break;		/* fall otherwise */
 
 	case NOTOK: 
-	    sprintf (cur, "atr-%s-%s", current, m_mailpath (folder));
+	    snprintf (cur, BUFSIZ, "atr-%s-%s", current, m_mailpath (folder));
 	    if (!context_del (cur)) {
 		printf ("[+%s de-referenced]\n", folder);
 		return OK;
--- nmh-0.27/uip/rmm.c.security	Mon Jun 22 16:16:45 1998
+++ nmh-0.27/uip/rmm.c	Sat Jul 18 16:35:53 1998
@@ -21,7 +21,7 @@
 {
     int msgp = 0, msgnum;
     char *cp, *maildir, *folder = NULL;
-    char buf[100], **ap, **argp;
+    char buf[BUFSIZ], **ap, **argp;
     char *arguments[MAXARGS], *msgs[MAXARGS];
     struct msgs *mp;
 
@@ -29,13 +29,13 @@
     setlocale(LC_ALL, "");
 #endif
     invo_name = r1bindex (argv[0], '/');
-    if ((cp = context_find (invo_name))) {
+    if ((cp = context_find (invo_name)) != NULL) {
 	ap = brkstring (cp = getcpy (cp), " ", "\n");
-	ap = copyip (ap, arguments);
+	ap = copyip_n (ap, arguments, MAXARGS);
     } else {
 	ap = arguments;
     }
-    copyip (argv + 1, ap);
+    copyip_n (argv + 1, ap, MAXARGS);
     argp = arguments;
 
     while ((cp = *argp++)) {
@@ -48,7 +48,7 @@
 		    adios (NULL, "-%s unknown\n", cp);
 
 		case HELPSW: 
-		    sprintf (buf, "%s [+folder] [msgs] [switches]", invo_name);
+		    snprintf (buf, BUFSIZ, "%s [+folder] [msgs] [switches]", invo_name);
 		    print_help (buf, switches, 1);
 		    done (1);
 		case VERSIONSW:
@@ -62,11 +62,12 @@
 	    else
 		folder = path (cp + 1, *cp == '+' ? TFOLDER : TSUBCWF);
 	} else {
-	    msgs[msgp++] = cp;
+	    if(msgp<MAXARGS-1)
+	    	msgs[msgp++] = cp;
 	}
     }
 
-    if (!context_find ("path"))
+    if (context_find ("path") == NULL)
 	free (path ("./", TFOLDER));
     if (!msgp)
 	msgs[msgp++] = "cur";
--- nmh-0.27/uip/scan.c.security	Mon Jun 22 16:17:11 1998
+++ nmh-0.27/uip/scan.c	Sat Jul 18 16:36:16 1998
@@ -62,7 +62,7 @@
     int i, state, msgnum;
     int seqnum[NUMATTRS], unseen, num_unseen_seq = 0;
     char *cp, *maildir, *file = NULL, *folder = NULL;
-    char *form = NULL, *format = NULL, buf[100], **ap;
+    char *form = NULL, *format = NULL, buf[BUFSIZ], **ap;
     char **argp, *nfs, *arguments[MAXARGS], *msgs[MAXARGS];
     struct msgs *mp;
     FILE *in;
@@ -72,13 +72,13 @@
 #endif
     invo_name = r1bindex (argv[0], '/');
     mts_init (invo_name);
-    if ((cp = context_find (invo_name))) {
+    if ((cp = context_find (invo_name)) != NULL) {
 	ap = brkstring (cp = getcpy (cp), " ", "\n");
-	ap = copyip (ap, arguments);
+	ap = copyip_n (ap, arguments, MAXARGS);
     } else {
 	ap = arguments;
     }
-    copyip (argv + 1, ap);
+    copyip_n (argv + 1, ap, MAXARGS);
     argp = arguments;
 
     while ((cp = *argp++)) {
@@ -91,7 +91,7 @@
 		    adios (NULL, "-%s unknown", cp);
 
 		case HELPSW: 
-		    sprintf (buf, "%s [+folder] [msgs] [switches]", invo_name);
+		    snprintf (buf, BUFSIZ, "%s [+folder] [msgs] [switches]", invo_name);
 		    print_help (buf, switches, 1);
 		    done (1);
 		case VERSIONSW:
@@ -149,11 +149,12 @@
 	    else
 		folder = path (cp + 1, *cp == '+' ? TFOLDER : TSUBCWF);
 	} else {
-	    msgs[msgp++] = cp;
+	    if(msgp< MAXARGS-1)
+	    	msgs[msgp++] = cp;
 	}
     }
 
-    if (!context_find ("path"))
+    if (context_find ("path") == NULL)
 	free (path ("./", TFOLDER));
 
     /*
@@ -230,7 +231,7 @@
      * Get the sequence number for each sequence
      * specified by Unseen-Sequence
      */
-    if ((cp = context_find (usequence))) {
+    if ((cp = context_find (usequence)) != NULL) {
 	char *dp;
 
 	dp = getcpy(cp);
--- nmh-0.27/uip/scansbr.c.security	Sun Feb  1 17:27:53 1998
+++ nmh-0.27/uip/scansbr.c	Sat Jul 18 14:04:49 1998
@@ -73,7 +73,7 @@
     struct comp **savecomp;
     char *scnmsg;
     FILE *scnout;
-    char name[NAMESZ];
+    char name[BUFSIZ];
     static int rlwidth, slwidth;
 
 #ifdef RPATHS
--- nmh-0.27/uip/send.c.security	Mon Jun 29 00:11:10 1998
+++ nmh-0.27/uip/send.c	Sat Jul 18 16:36:42 1998
@@ -120,7 +120,7 @@
     int isdf = 0, mime = 0;
     int msgnum, status;
     char *cp, *dfolder = NULL, *maildir = NULL;
-    char buf[100], **ap, **argp, *arguments[MAXARGS];
+    char buf[BUFSIZ], **ap, **argp, *arguments[MAXARGS];
     char *msgs[MAXARGS], *vec[MAXARGS];
     struct msgs *mp;
     struct stat st;
@@ -132,13 +132,13 @@
     setlocale(LC_ALL, "");
 #endif
     invo_name = r1bindex (argv[0], '/');
-    if ((cp = context_find (invo_name))) {
+    if ((cp = context_find (invo_name)) != NULL) {
 	ap = brkstring (cp = getcpy (cp), " ", "\n");
-	ap = copyip (ap, arguments);
+	ap = copyip_n (ap, arguments, MAXARGS);
     } else {
 	ap = arguments;
     }
-    copyip (argv + 1, ap);
+    copyip_n (argv + 1, ap, MAXARGS);
     argp = arguments;
 
     vec[vecp++] = "-library";
@@ -154,7 +154,7 @@
 		    adios (NULL, "-%s unknown\n", cp);
 
 		case HELPSW: 
-		    sprintf (buf, "%s [file] [switches]", invo_name);
+		    snprintf (buf,BUFSIZ, "%s [file] [switches]", invo_name);
 		    print_help (buf, switches, 1);
 		    done (1);
 		case VERSIONSW:
@@ -162,7 +162,8 @@
 		    done (1);
 
 		case DRAFTSW: 
-		    msgs[msgp++] = draft;
+		    if(msgp< MAXARGS-1)
+		    	msgs[msgp++] = draft;
 		    continue;
 
 		case DFOLDSW: 
@@ -176,7 +177,8 @@
 		case DMSGSW: 
 		    if (!(cp = *argp++) || *cp == '-')
 			adios (NULL, "missing argument to %s", argp[-2]);
-		    msgs[msgp++] = cp;
+		    if(msgp < MAXARGS-1)
+		    	msgs[msgp++] = cp;
 		    continue;
 		case NDFLDSW: 
 		    dfolder = NULL;
@@ -211,20 +213,24 @@
 
 		case VERBSW: 
 		    verbsw++;
-		    vec[vecp++] = --cp;
+		    if(vecp<MAXARGS-1)
+		    	vec[vecp++] = --cp;
 		    continue;
 		case NVERBSW:
 		    verbsw = 0;
-		    vec[vecp++] = --cp;
+		    if(vecp<MAXARGS-1)
+		    	vec[vecp++] = --cp;
 		    continue;
 
 		case MIMESW:
 		    mime++;
-		    vec[vecp++] = --cp;
+		    if(vecp<MAXARGS-1)
+		    	vec[vecp++] = --cp;
 		    continue;
 		case NMIMESW:
 		    mime = 0;
-		    vec[vecp++] = --cp;
+		    if(vecp<MAXARGS-1)
+		    	vec[vecp++] = --cp;
 		    continue;
 
 		case DEBUGSW: 
@@ -243,7 +249,8 @@
 		case SENDSW: 
 		case SOMLSW: 
 		case SNOOPSW: 
-		    vec[vecp++] = --cp;
+		    if(vecp<MAXARGS-1)
+		    	vec[vecp++] = --cp;
 		    continue;
 
 		case ALIASW: 
@@ -251,24 +258,30 @@
 		case WIDTHSW: 
 		case CLIESW: 
 		case SERVSW: 
-		    vec[vecp++] = --cp;
-		    if (!(cp = *argp++) || *cp == '-')
-			adios (NULL, "missing argument to %s", argp[-2]);
-		    vec[vecp++] = cp;
-		    continue;
+		    if(vecp<MAXARGS-2)
+		    {
+		    	vec[vecp++] = --cp;
+		    	if (!(cp = *argp++) || *cp == '-')
+				adios (NULL, "missing argument to %s", argp[-2]);
+		    	vec[vecp++] = cp;
+		    	continue;
+		    }
 	    }
 	} else {
-	    msgs[msgp++] = cp;
+	    if(msgp<MAXARGS-1)
+	    	msgs[msgp++] = cp;
 	}
     }
 
     /*
      * check for "Aliasfile:" profile entry
      */
-    if ((cp = context_find ("Aliasfile"))) {
+    if ((cp = context_find ("Aliasfile")) != NULL) {
 	char *dp = NULL;
 
 	for (ap = brkstring(dp = getcpy(cp), " ", "\n"); ap && *ap; ap++) {
+	    if(vecp>=MAXARGS-2)
+	    	break;
 	    vec[vecp++] = "-alias";
 	    vec[vecp++] = *ap;
 	}
@@ -282,7 +295,8 @@
 		goto go_to_it;
 	    }
 #endif /* WHATNOW */
-	    msgs[msgp++] = getcpy (m_draft (NULL, NULL, 1, &isdf));
+	    if(msgp<MAXARGS-1)
+	    	msgs[msgp++] = getcpy (m_draft (NULL, NULL, 1, &isdf));
 	    if (stat (msgs[0], &st) == NOTOK)
 		adios (msgs[0], "unable to stat draft file");
 	    cp = concat ("Use \"", msgs[0], "\"? ", NULL);
@@ -307,7 +321,7 @@
 		msgs[msgnum] = getcpy (m_maildir (msgs[msgnum]));
 	}
     } else {
-	if (!context_find ("path"))
+	if (context_find ("path") == NULL)
 	    free (path ("./", TFOLDER));
 
 	if (!msgp)
@@ -350,7 +364,7 @@
 	    m_putenv ("SIGNATURE", cp);
 #ifdef UCI
 	else {
-	    sprintf (buf, "%s/.signature", mypath);
+	    snprintf (buf, BUFSIZ, "%s/.signature", mypath);
 	    if ((fp = fopen (buf, "r")) != NULL
 		&& fgets (buf, sizeof buf, fp) != NULL) {
 		    fclose (fp);
@@ -376,7 +390,8 @@
 	    && *cp
 	    && (distsw = atoi (cp))
 	    && altmsg) {
-	vec[vecp++] = "-dist";
+	if(vecp<MAXARGS-1)
+		vec[vecp++] = "-dist";
 	distfile = getcpy (m_scratch (altmsg, invo_name));
 	if (link (altmsg, distfile) == NOTOK) {
 	    if (errno != EXDEV
--- nmh-0.27/uip/sendsbr.c.security	Mon Jun 29 01:29:07 1998
+++ nmh-0.27/uip/sendsbr.c	Sat Jul 18 14:04:49 1998
@@ -234,7 +234,7 @@
 	vec[vecp++] = "-queued";
 
     time (&clock);
-    sprintf (msgid, "<%d.%ld@%s>", (int) getpid(),
+    snprintf (msgid, BUFSIZ, "<%d.%ld@%s>", (int) getpid(),
 		(long) clock, LocalName());
 
     fseek (in, start, SEEK_SET);
@@ -242,7 +242,7 @@
 	char tmpdrf[BUFSIZ];
 	FILE *out;
 
-	strcpy (tmpdrf, m_scratch (drft, invo_name));
+	strncpy (tmpdrf, m_scratch (drft, invo_name), BUFSIZ);
 	if ((out = fopen (tmpdrf, "w")) == NULL)
 	    adios (tmpdrf, "unable to open for writing");
 	chmod (tmpdrf, 0600);
@@ -348,7 +348,7 @@
     if (annotext) {
 	if ((fd2 = tmp_fd ()) != NOTOK) {
 	    vec[vecp++] = "-idanno";
-	    sprintf (buf, "%d", fd2);
+	    snprintf (buf, BUFSIZ, "%d", fd2);
 	    vec[vecp++] = buf;
 	} else {
 	    admonish (NULL, "unable to create file for annotation list");
@@ -466,7 +466,7 @@
 	    dup2 (out, fileno (stdin));
 	    close (out);
 	    /* create subject for error notification */
-	    sprintf (buf, "send failed on %s",
+	    snprintf (buf, BUFSIZ, "send failed on %s",
 			forwsw ? "enclosed draft" : file);
 
 	    execlp (mailproc, r1bindex (mailproc, '/'), getusername (),
@@ -487,7 +487,7 @@
     int fd;
     char tmpfil[BUFSIZ];
 
-    strcpy (tmpfil, m_tmpfil (invo_name));
+    strncpy (tmpfil, m_tmpfil (invo_name), BUFSIZ);
     if ((fd = open (tmpfil, O_RDWR | O_CREAT | O_TRUNC, 0600)) == NOTOK)
 	return NOTOK;
     if (debugsw)
--- nmh-0.27/uip/show.c.security	Sun Feb  1 18:16:41 1998
+++ nmh-0.27/uip/show.c	Sat Jul 18 16:36:57 1998
@@ -61,7 +61,7 @@
     int nshow = 0, checkmime = 1, mime;
     int vecp = 1, procp = 1, isdf = 0, mode = SHOW, msgnum;
     char *cp, *maildir, *file = NULL, *folder = NULL, *proc;
-    char buf[100], **ap, **argp, *arguments[MAXARGS];
+    char buf[BUFSIZ], **ap, **argp, *arguments[MAXARGS];
     char *msgs[MAXARGS], *vec[MAXARGS];
     struct msgs *mp;
 
@@ -76,13 +76,13 @@
 	mode = PREV;
     }
 
-    if ((cp = context_find (invo_name))) {
+    if ((cp = context_find (invo_name)) != NULL) {
 	ap = brkstring (cp = getcpy (cp), " ", "\n");
-	ap = copyip (ap, arguments);
+	ap = copyip_n (ap, arguments, MAXARGS);
     } else {
 	ap = arguments;
     }
-    copyip (argv + 1, ap);
+    copyip_n (argv + 1, ap, MAXARGS);
     argp = arguments;
 
     while ((cp = *argp++)) {
@@ -93,11 +93,12 @@
 		    done (1);
 		case UNKWNSW: 
 		case NPROGSW:
-		    vec[vecp++] = --cp;
+		    if(vecp<MAXARGS-1)
+		    	vec[vecp++] = --cp;
 		    continue;
 
 		case HELPSW: 
-		    sprintf (buf, "%s [+folder] %s[switches] [switches for showproc]",
+		    snprintf (buf, BUFSIZ, "%s [+folder] %s[switches] [switches for showproc]",
 			    invo_name, mode == SHOW ? "[msgs] ": "");
 		    print_help (buf, switches, 1);
 		    done (1);
@@ -133,19 +134,23 @@
 		    continue;
 
 		case FORMSW:
-		    vec[vecp++] = --cp;
+		    if(vecp<MAXARGS-1)
+		    	vec[vecp++] = --cp;
 		    if (!(cp = *argp++) || *cp == '-')
 			adios (NULL, "missing argument to %s", argp[-2]);
-		    vec[vecp++] = getcpy (etcpath(cp));
+		    if(vecp<MAXARGS-1)
+		    	vec[vecp++] = getcpy (etcpath(cp));
 		    continue;
 
 		case PROGSW:
 		case LENSW:
 		case WIDTHSW:
-		    vec[vecp++] = --cp;
+		    if(vecp<MAXARGS-1)
+		    	vec[vecp++] = --cp;
 		    if (!(cp = *argp++) || *cp == '-')
 			adios (NULL, "missing argument to %s", argp[-2]);
-		    vec[vecp++] = cp;
+		    if(vecp<MAXARGS-1)
+		    	vec[vecp++] = cp;
 		    continue;
 
 		case SHOWSW: 
@@ -179,18 +184,20 @@
 	    if (mode != SHOW)
 		goto usage;
 	    else
-		msgs[msgp++] = cp;
+		if(msgp<MAXARGS-1)
+			msgs[msgp++] = cp;
 	}
     }
     procp = vecp;
 
-    if (!context_find ("path"))
+    if (context_find ("path") == NULL)
 	free (path ("./", TFOLDER));
 
     if (draftsw || file) {
 	if (msgp)
 	    adios (NULL, "only one file at a time!");
-	vec[vecp++] = draftsw
+	if(vecp<MAXARGS-1)
+		vec[vecp++] = draftsw
 	    ? getcpy (m_draft (folder, msgp ? msgs[0] : NULL, 1, &isdf))
 	    : file;
 	goto go_to_it;
@@ -199,7 +206,8 @@
 #ifdef WHATNOW
     if (!msgp && !folder && mode == SHOW && (cp = getenv ("mhdraft")) && *cp) {
 	draftsw++;
-	vec[vecp++] = cp;
+	if(vecp<MAXARGS-1)
+		vec[vecp++] = cp;
 	goto go_to_it;
     }
 #endif /* WHATNOW */
@@ -254,7 +262,8 @@
 
     for (msgnum = mp->lowsel; msgnum <= mp->hghsel; msgnum++)
 	if (is_selected(mp, msgnum))
-	    vec[vecp++] = getcpy (m_name (msgnum));
+	    if(vecp<MAXARGS-1)
+	    	vec[vecp++] = getcpy (m_name (msgnum));
 
     seq_setcur (mp, mp->hghsel);	/* update current message  */
     seq_save (mp);			/* synchronize sequences   */
@@ -308,11 +317,15 @@
      */
     if (strcmp (r1bindex (proc, '/'), "mhn") == 0) {
 	if (draftsw || file) {
-	    vec[vecp] = vec[vecp - 1];
-	    vec[vecp - 1] = "-file";
-	    vecp++;
+	    if(vecp<MAXARGS-1)
+	    {
+	    	vec[vecp] = vec[vecp - 1];
+	    	vec[vecp - 1] = "-file";
+	    	vecp++;
+	    }
 	}
-	vec[vecp++] = "-show";
+	if(vecp<MAXARGS-1)
+		vec[vecp++] = "-show";
 	vec[vecp] = NULL;
     }
 
--- nmh-0.27/uip/slocal.c.security	Fri Jun 12 17:09:12 1998
+++ nmh-0.27/uip/slocal.c	Sat Jul 18 14:04:49 1998
@@ -171,7 +171,7 @@
     int fd, result;
     FILE *fp = stdin;
     char *cp, *mdlvr = NULL;
-    char buf[100];
+    char buf[BUFSIZ];
     char mailbox[BUFSIZ], tmpfil[BUFSIZ];
     char **argp = argv + 1;
 
@@ -196,7 +196,7 @@
 		    adios (NULL, "-%s unknown", cp);
 
 		case HELPSW: 
-		    sprintf (buf, "%s [switches] [address info sender]", invo_name);
+		    snprintf (buf, BUFSIZ, "%s [switches] [address info sender]", invo_name);
 		    print_help (buf, switches, 0);
 		    done (1);
 		case VERSIONSW:
@@ -298,7 +298,7 @@
     /* Record the delivery time */
     if ((now = dlocaltimenow ()) == NULL)
 	adios (NULL, "unable to ascertain local time");
-    sprintf (ddate, "Delivery-Date: %s\n", dtimenow (0));
+    snprintf (ddate, BUFSIZ, "Delivery-Date: %s\n", dtimenow (0));
 
     /*
      * Copy the message to a temporary file
@@ -337,7 +337,7 @@
 	get_sender (envelope, &sender);
 
     if (mbox == NULL) {
-	sprintf (mailbox, "%s/%s",
+	snprintf (mailbox, BUFSIZ, "%s/%s",
 		mmdfldir[0] ? mmdfldir : pw->pw_dir,
 		mmdflfil[0] ? mmdflfil : pw->pw_name);
 	mbox = mailbox;
@@ -539,9 +539,9 @@
 		    continue;	/* else fall */
 	    case '+':
 		if (*string == '+')
-		    strcpy(tmpbuf, string);
+		    snprintf(tmpbuf, BUFSIZ, "%s", string);
 		else
-		    sprintf(tmpbuf, "+%s", string);
+		    snprintf(tmpbuf, BUFSIZ, "+%s", string);
 		vec[2] = "rcvstore";
 		vec[3] = tmpbuf;
 		vec[4] = NULL;
@@ -1068,7 +1068,7 @@
     }
 
     i = strlen ("From ");
-    strcpy (buffer, envelope + i);
+    snprintf(buffer, BUFSIZ, "%s", envelope + i);
     if ((cp = strchr(buffer, '\n'))) {
 	*cp = 0;
 	cp -= 24;
@@ -1101,7 +1101,7 @@
     char buffer[BUFSIZ];
     FILE *qfp, *ffp;
 
-    strcpy (tmpfil, m_tmpfil (invo_name));
+    snprintf(tmpfil, BUFSIZ, "%s", m_tmpfil (invo_name));
 
     /* open temporary file to put message in */
     if ((fd1 = open (tmpfil, O_RDWR | O_CREAT | O_TRUNC, 0600)) == -1)
@@ -1186,10 +1186,10 @@
 		if (hp) {
 		    /* return path for UUCP style addressing */
 		    ep = strchr(++hp, '\n');
-		    sprintf (buffer, "Return-Path: %.*s!%.*s\n", ep - hp, hp, cp - fp, fp);
+		    snprintf (buffer, BUFSIZ, "Return-Path: %.*s!%.*s\n", ep - hp, hp, cp - fp, fp);
 		} else {
 		    /* return path for standard domain addressing */
-		    sprintf (buffer, "Return-Path: %.*s\n", cp - fp, fp);
+		    snprintf (buffer, BUFSIZ, "Return-Path: %.*s\n", cp - fp, fp);
 		}
 
 		/* Add Return-Path header to message */
@@ -1243,7 +1243,7 @@
 	return NULL;
 
     /* copy string into temp buffer */
-    strcpy (buffer, cp);
+    strncpy (buffer, cp, sizeof(buffer));
     bp = buffer;
 
     /* skip over leading whitespace */
--- nmh-0.27/uip/sortm.c.security	Thu Jan 22 17:47:15 1998
+++ nmh-0.27/uip/sortm.c	Sat Jul 18 16:37:13 1998
@@ -66,7 +66,7 @@
 {
     int	msgp = 0, i, msgnum;
     char *cp, *maildir, *datesw = NULL;
-    char *folder = NULL, buf[100], **ap, **argp;
+    char *folder = NULL, buf[BUFSIZ], **ap, **argp;
     char *arguments[MAXARGS], *msgs[MAXARGS];
     struct msgs *mp;
     struct smsg **dlist;
@@ -75,13 +75,13 @@
     setlocale(LC_ALL, "");
 #endif
     invo_name = r1bindex (argv[0], '/');
-    if ((cp = context_find (invo_name))) {
+    if ((cp = context_find (invo_name)) != NULL) {
 	ap = brkstring (cp = getcpy (cp), " ", "\n");
-	ap = copyip (ap, arguments);
+	ap = copyip_n (ap, arguments, MAXARGS);
     } else {
 	ap = arguments;
     }
-    copyip (argv + 1, ap);
+    copyip_n (argv + 1, ap, MAXARGS);
     argp = arguments;
 
     while ((cp = *argp++)) {
@@ -94,7 +94,7 @@
 		adios (NULL, "-%s unknown", cp);
 
 	    case HELPSW:
-		sprintf(buf, "%s [+folder] [msgs] [switches]", invo_name);
+		snprintf(buf, BUFSIZ, "%s [+folder] [msgs] [switches]", invo_name);
 		print_help (buf, switches, 1);
 		done (1);
 	    case VERSIONSW:
@@ -154,11 +154,12 @@
 	    else
 		folder = path (cp + 1, *cp == '+' ? TFOLDER : TSUBCWF);
 	} else {
-	    msgs[msgp++] = cp;
+	    if(msgp<MAXARGS-1)
+	    	msgs[msgp++] = cp;
 	}
     }
 
-    if (!context_find ("path"))
+    if (context_find ("path") == NULL)
 	free (path ("./", TFOLDER));
     if (!msgp)
 	msgs[msgp++] = "all";
@@ -483,7 +484,7 @@
 	mlist[msg] = (struct smsg *)0;
 	old = smsgs[nxt].s_msg;
 	new = smsgs[msg].s_msg;
-	strcpy (oldname, m_name (old));
+	strncpy (oldname, m_name (old), BUFSIZ);
 	newname = m_name (new);
 	if (verbose)
 	    printf ("message %d becomes message %d\n", old, new);
@@ -512,7 +513,7 @@
     char f1[BUFSIZ], tmpfil[BUFSIZ];
     struct smsg *sp;
 
-    strcpy (tmpfil, m_name (mp->hghmsg + 1));
+    strncpy (tmpfil, m_name (mp->hghmsg + 1), BUFSIZ);
 
     for (i = 0; i < nmsgs; i++) {
 	if (! (sp = mlist[i])) 
@@ -529,7 +530,7 @@
 	 */
 	old = smsgs[j].s_msg;
 	new = smsgs[i].s_msg;
-	strcpy (f1, m_name (old));
+	strncpy (f1, m_name (old), BUFSIZ);
 
 	if (verbose)
 	    printf ("renaming message chain from %d to %d\n", old, new);
--- nmh-0.27/uip/spop.c.security	Sun Nov 30 04:41:10 1997
+++ nmh-0.27/uip/spop.c	Sat Jul 18 14:04:49 1998
@@ -333,7 +333,7 @@
     }
 
     va_start(ap, fmt);
-    vsprintf (buffer, fmt, ap);
+    vsnprintf (buffer, BUFSIZ-1 /* for the \n */, fmt, ap);
     va_end(ap);
 
     bp = buffer;
@@ -375,14 +375,14 @@
     if (rp_isbad (sm_waend ()))
 	goto sm_err;
 
-    sprintf (buffer,
+    snprintf (buffer, BUFSIZ,
 	    "Date: %s\nFrom: %s\nTo: %s\nSubject: BBoards Failure\n\n",
 	    dtimenow (0), bb_from, bb_from);
     if (rp_isbad (sm_wtxt (buffer, strlen (buffer))))
 	goto sm_err;
 
     for (i = 0; bb[i]; i++) {
-	sprintf (buffer, "BBoard %s\n", bb[i]->bb_name);
+	snprintf (buffer, BUFSIZ, "BBoard %s\n", bb[i]->bb_name);
 	if (rp_isbad (sm_wtxt (buffer, strlen (buffer))))
 	    goto sm_err;
     }
@@ -512,8 +512,8 @@
     bb_uid = pw->pw_uid;
     bb_gid = pw->pw_gid;
 #ifndef	SPOP
-    strcpy (bb_from, adrsprintf (pw->pw_name, LocalName ()));
-    strcpy (bb_home, pw->pw_dir);
+    strcpy (bb_from, adrsprintf (pw->pw_name, LocalName ()), BUFSIZ);
+    strcpy (bb_home, pw->pw_dir, BUFSIZ);
 #endif	not SPOP
 
     if (*vec == NULL)
--- nmh-0.27/uip/spost.c.security	Sat May 16 17:38:10 1998
+++ nmh-0.27/uip/spost.c	Sat Jul 18 14:22:59 1998
@@ -210,8 +210,8 @@
     invo_name = r1bindex (argv[0], '/');
     mts_init (invo_name);
     if ((cp = context_find (invo_name)) != NULL) {
-	argp = copyip (brkstring (cp, " ", "\n"), arguments);
-	copyip (argv+1, argp);
+	argp = copyip_n (brkstring (cp, " ", "\n"), arguments, MAXARGS);
+	copyip_n (argv+1, argp, MAXARGS);
 	argp = arguments;
     }
 
@@ -391,7 +391,7 @@
 
     fclose (in);
     if (backflg && !whomflg) {
-	strcpy (buf, m_backup (msg));
+	strncpy (buf, m_backup (msg), BUFSIZ);
 	if (rename (msg, buf) == NOTOK)
 	    advise (buf, "unable to rename %s to", msg);
     }
@@ -528,14 +528,14 @@
     char *cp;
     char sigbuf[BUFSIZ];
 
-    strcpy( from, getusername() );
+    strncpy( from, getusername(), BUFSIZ);
 
     if ((cp = getfullname ()) && *cp) {
-	strcpy (sigbuf, cp);
-	sprintf (signature, "%s <%s>", sigbuf,  from);
+	strncpy (sigbuf, cp, BUFSIZ);
+	snprintf (signature, BUFSIZ, "%s <%s>", sigbuf,  from);
     }
     else
-	sprintf (signature, "%s",  from);
+	snprintf (signature, BUFSIZ, "%s",  from);
 }
 
 
--- nmh-0.27/uip/vmh.c.security	Mon Jun 22 16:20:28 1998
+++ nmh-0.27/uip/vmh.c	Sat Jul 18 16:37:34 1998
@@ -224,13 +224,13 @@
     setlocale(LC_ALL, "");
 #endif
     invo_name = r1bindex (argv[0], '/');
-    if ((cp = context_find (invo_name))) {
+    if ((cp = context_find (invo_name)) != NULL) {
 	ap = brkstring (cp = getcpy (cp), " ", "\n");
-	ap = copyip (ap, arguments);
+	ap = copyip_n (ap, arguments, MAXARGS);
     } else {
 	ap = arguments;
     }
-    copyip (argv + 1, ap);
+    copyip_n (argv + 1, ap, MAXARGS);
     argp = arguments;
 
     while ((cp = *argp++))
@@ -244,7 +244,7 @@
 		    continue;
 
 		case HELPSW: 
-		    sprintf (buffer, "%s [switches for vmhproc]", invo_name);
+		    snprintf (buffer,  BUFSIZ, "%s [switches for vmhproc]", invo_name);
 		    print_help (buffer, switches, 1);
 		    done (1);
 		case VERSIONSW:
@@ -265,7 +265,8 @@
 		    continue;
 	    }
 	else
-	    vec[vecp++] = cp;
+	    if(vecp< MAXARGS-1)
+	    	vec[vecp++] = cp;
 
     if (TTYinit (nprog) == NOTOK || WINinit (nprog) == NOTOK) {
 	vec[vecp] = NULL;
@@ -340,10 +341,10 @@
 	    close (pfd1[1]);
 
 	    vec[vecp++] = "-vmhread";
-	    sprintf (buf1, "%d", pfd1[0]);
+	    snprintf (buf1, BUFSIZ, "%d", pfd1[0]);
 	    vec[vecp++] = buf1;
 	    vec[vecp++] = "-vmhwrite";
-	    sprintf (buf2, "%d", pfd0[1]);
+	    snprintf (buf2, BUFSIZ, "%d", pfd0[1]);
 	    vec[vecp++] = buf2;
 	    vec[vecp] = NULL;
 
@@ -373,14 +374,16 @@
     struct record rcs;
     register struct record *rc = &rcs;
     register WINDOW **w;
+    int len;
 
     initrc (rc);
 
     bp = buffer;
-    sprintf (bp, "%d %d", RC_VRSN, numwins);
+    len = BUFSIZ;
+    len -= snprintf (bp, len, "%d %d", RC_VRSN, numwins);
     bp += strlen (bp);
     for (w = windows; *w; w++) {
-	sprintf (bp, " %d", (*w)->_maxy);
+	len -= snprintf (bp, len, " %d", (*w)->_maxy);
 	bp += strlen (bp);
     }
 
@@ -796,7 +799,8 @@
 		}
 		
 		if (c >= ' ' && c < '\177')
-		    waddch (w, *bp++ = c);
+		    if(bp-buffer < BUFSIZ-1)
+		    	waddch (w, *bp++ = c);
 		break;
 	}
 
@@ -1471,7 +1475,7 @@
 	iov++;
     }
     
-    vsprintf (buffer, fmt, ap);
+    vsnprintf (buffer, BUFSIZ,  fmt, ap);
     iov->iov_len = strlen (iov->iov_base = buffer);
     iov++;
     if (what) {
@@ -1484,7 +1488,7 @@
 	    iov++;
 	}
 	if (!(iov->iov_base = strerror (eindex))) {
-	    sprintf (err, "Error %d", eindex);
+	    snprintf (err, BUFSIZ, "Error %d", eindex);
 	    iov->iov_base = err;
 	}
 	iov->iov_len = strlen (iov->iov_base);
--- nmh-0.27/uip/vmhsbr.c.security	Wed Dec 17 03:27:26 1997
+++ nmh-0.27/uip/vmhsbr.c	Sat Jul 18 14:04:49 1998
@@ -41,7 +41,7 @@
     PEERwfd = wfd;
 
     if ((cp = getenv ("MHVDEBUG")) && *cp) {
-	sprintf (buffer, "%s.out", invo_name);
+	snprintf (buffer, BUFSIZ, "%s.out", invo_name);
 	if ((fp = fopen (buffer, "w"))) {
 	  fseek (fp, 0L, SEEK_END);
 	  fprintf (fp, "%d: rcinit (%d, %d)\n", (int) getpid(), rfd, wfd);
@@ -179,18 +179,18 @@
     int eindex = errno;
     register char *bp, *s;
     char buffer[BUFSIZ * 2];
-
-    vsprintf (buffer, fmt, ap);
+    int len=BUFSIZ*2;
+    len-=vsnprintf (buffer, len, fmt, ap);
     bp = buffer + strlen (buffer);
     if (what) {
 	if (*what) {
-	    sprintf (bp, " %s: ", what);
+	    len-=snprintf (bp, len, " %s: ", what);
 	    bp += strlen (bp);
 	}
 	if ((s = strerror (eindex)))
-	    strcpy (bp, s);
+	    len-=snprintf(bp, len, "%s",s);
 	else
-	    sprintf (bp, "unknown error %d", eindex);
+	    len-=snprintf (bp, len, "unknown error %d", eindex);
 	bp += strlen (bp);
     }
 
@@ -205,7 +205,7 @@
     static char buffer[BUFSIZ * 2];
 
     va_start(ap, fmt);
-    vsprintf (buffer, fmt, ap);
+    vsnprintf (buffer, BUFSIZ*2, fmt, ap);
     va_end(ap);
 
     rc->rc_len = strlen (rc->rc_data = getcpy (buffer));
--- nmh-0.27/uip/vmhtest.c.security	Wed Jan 14 21:19:58 1998
+++ nmh-0.27/uip/vmhtest.c	Sat Jul 18 14:04:49 1998
@@ -58,7 +58,7 @@
 		    adios (NULL, "-%s unknown", cp);
 
 		case HELPSW: 
-		    sprintf (buffer, "%s [switches]", invo_name);
+		    snprintf (buffer, BUFSIZ, "%s [switches]", invo_name);
 		    print_help (buffer, switches, 0);
 		    done (1);
 		case VERSIONSW:
@@ -241,7 +241,7 @@
 
     initrc (rc);
 
-    sprintf (buffer, "%d", selwin ());
+    snprintf (buffer, BUFSIZ,  "%d", selwin ());
     switch (str2rc (RC_WIN, buffer, rc)) {
 	case RC_ACK: 
 	    break;
--- nmh-0.27/uip/whatnowproc.c.security	Thu Jul  2 18:21:58 1998
+++ nmh-0.27/uip/whatnowproc.c	Sat Jul 18 16:40:19 1998
@@ -24,7 +24,8 @@
     int found, k, msgnum, vecp;
     register char *bp;
     char buffer[BUFSIZ], *vec[MAXARGS];
-
+    int len;
+    
     vecp = 0;
     vec[vecp++] = r1bindex (whatnowproc, '/');
     vec[vecp] = NULL;
@@ -38,7 +39,7 @@
 	if (mp == NULL || *altmsg == '/' || cwd == NULL)
 	    m_putenv ("mhaltmsg", altmsg);
 	else {
-	    sprintf (buffer, "%s/%s", mp->foldpath, altmsg);
+	    snprintf (buffer, BUFSIZ, "%s/%s", mp->foldpath, altmsg);
 	    m_putenv ("mhaltmsg", buffer);
 	}
     } else {
@@ -46,7 +47,7 @@
     }
     if ((bp = getenv ("mhaltmsg")))/* XXX */
 	m_putenv ("editalt", bp);
-    sprintf (buffer, "%d", dist);
+    snprintf (buffer, BUFSIZ, "%d", dist);
     m_putenv ("mhdist", buffer);
     if (nedit) {
 	unputenv ("mheditor");
@@ -54,7 +55,7 @@
 	m_putenv ("mheditor", ed ? ed : (ed = context_find ("editor"))
 	    ? ed : defaulteditor);
     }
-    sprintf (buffer, "%d", use);
+    snprintf (buffer, BUFSIZ, "%d", use);
     m_putenv ("mhuse", buffer);
 
     unputenv ("mhmessages");
@@ -63,14 +64,15 @@
     if (text && mp && !is_readonly(mp)) {
 	found = 0;
 	bp = buffer;
+	len = BUFSIZ;
 	for (msgnum = mp->lowmsg; msgnum <= mp->hghmsg; msgnum++) {
 	    if (is_selected(mp, msgnum)) {
-		sprintf (bp, "%s%s", found ? " " : "", m_name (msgnum));
+		len-=snprintf (bp, len, "%s%s", found ? " " : "", m_name (msgnum));
 		bp += strlen (bp);
 		for (k = msgnum + 1; k <= mp->hghmsg && is_selected(mp, k); k++)
 		    continue;
 		if (--k > msgnum) {
-		    sprintf (bp, "-%s", m_name (k));
+		    len-=snprintf (bp, len, "-%s", m_name (k));
 		    bp += strlen (bp);
 		}
 		msgnum = k + 1;
@@ -80,7 +82,7 @@
 	if (found) {
 	    m_putenv ("mhmessages", buffer);
 	    m_putenv ("mhannotate", text);
-	    sprintf (buffer, "%d", inplace);
+	    snprintf (buffer, BUFSIZ, "%d", inplace);
 	    m_putenv ("mhinplace", buffer);
 	}
     }
--- nmh-0.27/uip/whatnowsbr.c.security	Fri Jul  3 17:19:21 1998
+++ nmh-0.27/uip/whatnowsbr.c	Sat Jul 18 16:38:14 1998
@@ -82,18 +82,18 @@
     int isdf = 0, nedit = 0, use = 0;
     char *cp, *dfolder = NULL, *dmsg = NULL;
     char *ed = NULL, *drft = NULL, *msgnam = NULL;
-    char buf[100], prompt[BUFSIZ];
+    char buf[BUFSIZ], prompt[BUFSIZ];
     char **ap, **argp, *arguments[MAXARGS];
     struct stat st;
 
     invo_name = r1bindex (argv[0], '/');
-    if ((cp = context_find (invo_name))) {
+    if ((cp = context_find (invo_name)) != NULL) {
 	ap = brkstring (cp = getcpy (cp), " ", "\n");
-	ap = copyip (ap, arguments);
+	ap = copyip_n (ap, arguments, MAXARGS);
     } else {
 	ap = arguments;
     }
-    copyip (argv + 1, ap);
+    copyip_n (argv + 1, ap, MAXARGS);
     argp = arguments;
 
     while ((cp = *argp++)) {
@@ -106,7 +106,7 @@
 		adios (NULL, "-%s unknown", cp);
 
 	    case HELPSW: 
-		sprintf (buf, "%s [switches] [file]", invo_name);
+		snprintf (buf, BUFSIZ, "%s [switches] [file]", invo_name);
 		print_help (buf, whatnowswitches, 1);
 		done (1);
 	    case VERSIONSW:
@@ -170,7 +170,7 @@
     if (!nedit && editfile (&ed, NULL, drft, use, NULL, msgnam, NULL, 1) < 0)
 	done (1);
 
-    sprintf (prompt, myprompt, invo_name);
+    snprintf (prompt, BUFSIZ, myprompt, invo_name);
     for (;;) {
 	if (!(argp = getans (prompt, aleqs))) {
 	    unlink (LINK);
@@ -294,13 +294,13 @@
 
     if (altmsg) {
 	if (mp == NULL || *altmsg == '/' || cwd == NULL)
-	    strcpy (altpath, altmsg);
+	    snprintf(altpath, BUFSIZ, "%s", altmsg);
 	else
-	    sprintf (altpath, "%s/%s", mp->foldpath, altmsg);
+	    snprintf (altpath, BUFSIZ, "%s/%s", mp->foldpath, altmsg);
 	if (cwd == NULL)
-	    strcpy (linkpath, LINK);
+	    snprintf(linkpath, BUFSIZ, "%s", LINK);
 	else
-	    sprintf (linkpath, "%s/%s", cwd, LINK);
+	    snprintf (linkpath, BUFSIZ,  "%s/%s", cwd, LINK);
     }
 
     if (altmsg) {
@@ -702,7 +702,7 @@
 sendit (char *sp, char **arg, char *file, int pushed)
 {
     int	vecp = 1;
-    char *cp, buf[100], **ap, **argp;
+    char *cp, buf[BUFSIZ], **ap, **argp;
     char *arguments[MAXARGS], *vec[MAXARGS];
     struct stat st;
 
@@ -714,15 +714,15 @@
 #endif
 
     if (arg)
-	copyip (arg, vec);
-    if ((cp = context_find (sp))) {
+	copyip_n (arg, vec, MAXARGS);
+    if ((cp = context_find (sp)) != NULL) {
 	ap = brkstring (cp = getcpy (cp), " ", "\n");
-	ap = copyip (ap, arguments);
+	ap = copyip_n (ap, arguments, MAXARGS);
     } else {
 	ap = arguments;
     }
     if (arg)
-	copyip (vec, ap);
+	copyip_n (vec, ap, MAXARGS);
     argp = arguments;
 
     debugsw = 0;
@@ -748,7 +748,7 @@
 		    return;
 
 		case SHELPSW: 
-		    sprintf (buf, "%s [switches]", sp);
+		    snprintf (buf, BUFSIZ, "%s [switches]", sp);
 		    print_help (buf, sendswitches, 1);
 		    return;
 		case SVERSIONSW:
@@ -840,7 +840,7 @@
     }
 
     /* allow Aliasfile: profile entry */
-    if ((cp = context_find ("Aliasfile"))) {
+    if ((cp = context_find ("Aliasfile")) != NULL) {
 	char *dp = NULL;
 
 	for (ap = brkstring(dp = getcpy(cp), " ", "\n"); ap && *ap; ap++) {
@@ -854,7 +854,7 @@
 	    m_putenv ("SIGNATURE", cp);
 #ifdef UCI
 	else {
-	    sprintf (buf, "%s/.signature", mypath);
+	    snprintf (buf, BUFSIZ, "%s/.signature", mypath);
 	    if ((fp = fopen (buf, "r")) != NULL
 		&& fgets (buf, sizeof(buf), fp) != NULL) {
 		    fclose (fp);
@@ -922,7 +922,7 @@
 	    vec[vecp++] = r1bindex (whomproc, '/');
 	    vec[vecp++] = file;
 	    if (arg)
-		while (*arg)
+		while (*arg && vecp <MAXARGS-1)
 		    vec[vecp++] = *arg++;
 	    vec[vecp] = NULL;
 
--- nmh-0.27/uip/whom.c.security	Mon Jun 22 16:21:33 1998
+++ nmh-0.27/uip/whom.c	Sat Jul 18 16:38:25 1998
@@ -46,19 +46,19 @@
     int distsw = 0, vecp = 0;
     char *cp, *dfolder = NULL, *dmsg = NULL;
     char *msg = NULL, **ap, **argp, backup[BUFSIZ];
-    char buf[100], *arguments[MAXARGS], *vec[MAXARGS];
+    char buf[BUFSIZ], *arguments[MAXARGS], *vec[MAXARGS];
 
 #ifdef LOCALE
     setlocale(LC_ALL, "");
 #endif
     invo_name = r1bindex (argv[0], '/');
-    if ((cp = context_find (invo_name))) {
+    if ((cp = context_find (invo_name)) != NULL) {
 	ap = brkstring (cp = getcpy (cp), " ", "\n");
-	ap = copyip (ap, arguments);
+	ap = copyip_n(ap, arguments, MAXARGS);
     } else {
 	ap = arguments;
     }
-    copyip (argv + 1, ap);
+    copyip_n (argv + 1, ap, MAXARGS);
     argp = arguments;
 
     vec[vecp++] = invo_name;
@@ -76,7 +76,7 @@
 		    adios (NULL, "-%s unknown", cp);
 
 		case HELPSW: 
-		    sprintf (buf, "%s [switches] [file]", invo_name);
+		    snprintf (buf, BUFSIZ, "%s [switches] [file]", invo_name);
 		    print_help (buf, switches, 1);
 		    done (1);
 		case VERSIONSW:
@@ -124,15 +124,17 @@
 	}
 	if (msg)
 	    adios (NULL, "only one draft at a time!");
-	else
+	else if(vecp<MAXARGS-1)
 	    vec[vecp++] = msg = cp;
     }
 
     /* allow Aliasfile: profile entry */
-    if ((cp = context_find ("Aliasfile"))) {
+    if ((cp = context_find ("Aliasfile")) != NULL) {
 	char *dp = NULL;
 
 	for (ap = brkstring(dp = getcpy(cp), " ", "\n"); ap && *ap; ap++) {
+	    if(vecp>MAXARGS-3)
+	    	break;
 	    vec[vecp++] = "-alias";
 	    vec[vecp++] = *ap;
 	}
@@ -143,7 +145,8 @@
 	if (dfolder || (cp = getenv ("mhdraft")) == NULL || *cp == '\0')
 #endif	/* WHATNOW */
 	    cp  = getcpy (m_draft (dfolder, dmsg, 1, &isdf));
-	msg = vec[vecp++] = cp;
+	if(vecp<MAXARGS-1)
+		msg = vec[vecp++] = cp;
     }
     if ((cp = getenv ("mhdist"))
 	    && *cp
@@ -152,7 +155,8 @@
 	    && *cp) {
 	if (distout (msg, cp, backup) == NOTOK)
 	    done (1);
-	vec[vecp++] = "-dist";
+	if(vecp<MAXARGS-1)
+		vec[vecp++] = "-dist";
 	distsw++;
     }
     vec[vecp] = NULL;
--- nmh-0.27/uip/wmh.c.security	Wed Jan 14 21:21:16 1998
+++ nmh-0.27/uip/wmh.c	Sat Jul 18 14:04:49 1998
@@ -148,11 +148,11 @@
     invo_name = r1bindex (argv[0], '/');
     if ((cp = context_find (invo_name)) != NULL) {
 	ap = brkstring (cp = getcpy (cp), " ", "\n");
-	ap = copyip (ap, arguments);
+	ap = copyip_n (ap, arguments, MAXARGS);
     }
     else
 	ap = arguments;
-    copyip (argv + 1, ap);
+    copyip_n (argv + 1, ap, MAXARGS);
     argp = arguments;
 
     while ((cp = *argp++))
@@ -162,7 +162,8 @@
 		    ambigsw (cp, switches);
 		    done (1);
 		case UNKWNSW: 
-		    vec[vecp++] = --cp;
+		    if(vecp<MAXARGS)
+		    	vec[vecp++] = --cp;
 		    continue;
 
 		case HELPSW: 
@@ -186,8 +187,8 @@
 		    nprog++;
 		    continue;
 	    }
-	else
-	    vec[vecp++] = cp;
+	else if(vecp<MAXARGS-1)
+		vec[vecp++] = cp;
 
     SIGinit ();
     if (WINinit (nprog) == NOTOK) {
@@ -213,7 +214,7 @@
     for (;;) {
 	pLOOP (RC_QRY, NULL);
 
-	sprintf (prompt, myprompt, invo_name);
+	snprintf (prompt, BUFSIZ, myprompt, invo_name);
 
 	switch (WINgetstr (Command, prompt, buffer)) {
 	    case NOTOK: 
@@ -255,10 +256,10 @@
 	    close (pfd1[1]);
 
 	    vec[vecp++] = "-vmhread";
-	    sprintf (buf1, "%d", pfd1[0]);
+	    snprintf (buf1, BUFSIZ, "%d", pfd1[0]);
 	    vec[vecp++] = buf1;
 	    vec[vecp++] = "-vmhwrite";
-	    sprintf (buf2, "%d", pfd0[1]);
+	    snprintf (buf2, BUFSIZ, "%d", pfd0[1]);
 	    vec[vecp++] = buf2;
 	    vec[vecp] = NULL;
 
@@ -288,15 +289,16 @@
     char buffer[BUFSIZ];
     struct record rcs, *rc;
     WINDOW **w;
+    int len=BUFSIZ;
 
     rc = &rcs;
     initrc (rc);
 
     bp = buffer;
-    sprintf (bp, "%d %d", RC_VRSN, numwins);
+    len-=snprintf (bp, BUFSIZ, "%d %d", RC_VRSN, numwins);
     bp += strlen (bp);
     for (w = windows; *w; w++) {
-	sprintf (bp, " %d", (*w)->w_height);
+	len-=snprintf (bp, len, " %d", (*w)->w_height);
 	bp += strlen (bp);
     }
 
@@ -1325,7 +1327,7 @@
 	iov++;
     }
     
-    vsprintf (buffer, fmt, ap);
+    vsnprintf (buffer, BUFSIZ, fmt, ap);
     iov->iov_len = strlen (iov->iov_base = buffer);
     iov++;
     if (what) {
@@ -1338,7 +1340,7 @@
 	    iov++;
 	}
 	if (!(iov->iov_base = strerror (eindex))) {
-	    sprintf (err, "unknown error %d", eindex);
+	    snprintf (err, BUFSIZ, "unknown error %d", eindex);
 	    iov->iov_base = err;
 	}
 	iov->iov_len = strlen (iov->iov_base);
@@ -1368,7 +1370,7 @@
     char buffer[BUFSIZ];
 
     for (i = 0, cp = NULL; i < n; i++, iov++) {
-	sprintf (buffer, "%*.*s", iov->iov_len, iov->iov_len,
+	snprintf (buffer, BUFSIZ, "%*.*s", iov->iov_len, iov->iov_len,
 		iov->iov_base);
 	cp = add (buffer, cp);
     }
--- nmh-0.27/uip/mhmisc.c.security	Sat Jul 18 14:42:48 1998
+++ nmh-0.27/uip/mhmisc.c	Sat Jul 18 14:50:24 1998
@@ -135,16 +135,17 @@
     char *bp;
     char buffer[BUFSIZ];
     CI ci;
+    int len=BUFSIZ-2;
 
     bp = buffer;
 
     if (userrs && invo_name && *invo_name) {
-	sprintf (bp, "%s: ", invo_name);
+	len-=snprintf (bp, len, "%s: ", invo_name);
 	bp += strlen (bp);
     }
 
     va_start (arglist, fmt);
-    vsprintf (bp, fmt, arglist);
+    len-=vsnprintf (bp, len, fmt, arglist);
     bp += strlen (bp);
     ci = &ct->c_ctinfo;
 
@@ -152,28 +153,28 @@
 	char *s;
 
 	if (*what) {
-	    sprintf (bp, " %s: ", what);
+	    len-=snprintf (bp, len, " %s: ", what);
 	    bp += strlen (bp);
 	}
 	if ((s = strerror (errno)))
-	    sprintf (bp, "%s", s);
+	    len-=snprintf (bp, len, "%s", s);
 	else
-	    sprintf (bp, "Error %d", errno);
+	    len-=snprintf (bp, len, "Error %d", errno);
 	bp += strlen (bp);
     }
 
     i = strlen (invo_name) + 2;
-    sprintf (bp, "\n%*.*s(content %s/%s", i, i, "", ci->ci_type, ci->ci_subtype);
+    len-=snprintf (bp, len, "\n%*.*s(content %s/%s", i, i, "", ci->ci_type, ci->ci_subtype);
     bp += strlen (bp);
     if (ct->c_file) {
-	sprintf (bp, " in message %s", ct->c_file);
+	len-=snprintf (bp, len, " in message %s", ct->c_file);
 	bp += strlen (bp);
 	if (ct->c_partno) {
-	    sprintf (bp, ", part %s", ct->c_partno);
+	    len-=snprintf (bp, len, ", part %s", ct->c_partno);
 	    bp += strlen (bp);
 	}
     }
-    sprintf (bp, ")");
+    len-=snprintf (bp, len, ")");
     bp += strlen (bp);
 
     if (userrs) {
--- nmh-0.27/uip/mhlistsbr.c.security	Sat Jul 18 14:44:13 1998
+++ nmh-0.27/uip/mhlistsbr.c	Sat Jul 18 14:45:47 1998
@@ -162,7 +162,7 @@
 
     printf (toplevel > 0 ? LSTFMT2a : toplevel < 0 ? "part " : "     ",
 	    atoi (r1bindex (empty (ct->c_file), '/')));
-    sprintf (buffer, "%s/%s", empty (ci->ci_type), empty (ci->ci_subtype));
+    snprintf (buffer, BUFSIZ, "%s/%s", empty (ci->ci_type), empty (ci->ci_subtype));
     printf (LSTFMT2b, empty (ct->c_partno), buffer);
 
     if (ct->c_cesizefnx && realsize)
@@ -213,7 +213,7 @@
 
 	dp = trimcpy (cp = add (ci->ci_comment, NULL));
 	free (cp);
-	sprintf (buffer, "(%s)", dp);
+	snprintf (buffer, BUFSIZ, "(%s)", dp);
 	free (dp);
 	printf (LSTFMT2d2, buffer);
     }
--- nmh-0.27/uip/mhbuildsbr.c.security	Sat Jul 18 14:51:08 1998
+++ nmh-0.27/uip/mhbuildsbr.c	Sat Jul 18 15:44:33 1998
@@ -1026,7 +1026,7 @@
     bp = buffer;
     cp++;
 
-    for (i = 0;;) {
+    for (i = 0;bp-buffer<BUFSIZ-1;) {
 	switch (c = *cp++) {
 	case '\0':
 invalid:
@@ -1310,19 +1310,19 @@
 	int partnum;
 	char *pp;
 	char partnam[BUFSIZ];
+	int l=BUFSIZ;
 
+	pp = partnam;
 	if (ct->c_partno) {
-	    sprintf (partnam, "%s.", ct->c_partno);
-	    pp = partnam + strlen (partnam);
+	    l-=snprintf (partnam, l, "%s.", ct->c_partno);
+	    pp += strlen (partnam);
 	}
-	else
-	    pp = partnam;
 
 	for (part = m->mp_parts, partnum = 1; part;
 	         part = part->mp_next, partnum++) {
 	    p = part->mp_part;
 
-	    sprintf (pp, "%d", partnum);
+	    l-=snprintf (pp, l, "%d", partnum);
 	    p->c_partno = add (partnam, NULL);
 
 	    if (p->c_ctinitfnx && (*p->c_ctinitfnx) (p) == NOTOK) {
@@ -2160,7 +2160,7 @@
 	    putc (';', ce->ce_fp);
 	    len++;
 
-	    sprintf (buffer, "%s=\"%s\"", *ap, *ep);
+	    snprintf (buffer, BUFSIZ, "%s=\"%s\"", *ap, *ep);
 
 	    if (len + 1 + (cc = strlen (buffer)) >= CPERLIN) {
 		fputs ("\n\t", ce->ce_fp);
@@ -2385,11 +2385,12 @@
     CE ce;
     static char *username = NULL;
     static char *password = NULL;
+    int len=BUFSIZ;
 
     e  = ct->c_ctexbody;
     ce = ct->c_cefile;
 
-    sprintf (buffer, "%s-access-ftp", invo_name);
+    snprintf (buffer, BUFSIZ, "%s-access-ftp", invo_name);
     if ((ftp = context_find (buffer)) && !*ftp)
 	ftp = NULL;
 
@@ -2423,26 +2424,26 @@
     }
 
     bp = buffer;
-    sprintf (bp, "Retrieve %s", e->eb_name);
+    len-=snprintf (bp, len, "Retrieve %s", e->eb_name);
     bp += strlen (bp);
     if (e->eb_partno) {
-	sprintf (bp, " (content %s)", e->eb_partno);
+	len-=snprintf (bp, len, " (content %s)", e->eb_partno);
 	bp += strlen (bp);
     }
-    sprintf (bp, "\n    using %sFTP from site %s",
+    len-=snprintf (bp, len, "\n    using %sFTP from site %s",
 		    e->eb_flags ? "anonymous " : "", e->eb_site);
     bp += strlen (bp);
     if (e->eb_size > 0) {
-	sprintf (bp, " (%lu octets)", e->eb_size);
+	len-=snprintf (bp, len, " (%lu octets)", e->eb_size);
 	bp += strlen (bp);
     }
-    sprintf (bp, "? ");
+    len-=snprintf (bp, len, "? ");
     if (!getanswer (buffer))
 	return NOTOK;
 
     if (e->eb_flags) {
 	user = "anonymous";
-	sprintf (pass = buffer, "%s@%s", getusername (), LocalName ());
+	snprintf (pass = buffer, BUFSIZ, "%s@%s", getusername (), LocalName ());
     } else {
 	ruserpass (e->eb_site, &username, &password);
 	user = username;
@@ -2587,6 +2588,7 @@
     char *bp, buffer[BUFSIZ], *vec[7];
     struct exbody *e = ct->c_ctexbody;
     CE ce = ct->c_cefile;
+    int len=BUFSIZ;
 
     switch (openExternal (e->eb_parent, e->eb_content, ce, file, &fd)) {
 	case NOTOK:
@@ -2612,13 +2614,13 @@
     }
 
     bp = buffer;
-    sprintf (bp, "Retrieve content");
+    len-=snprintf (bp, len, "Retrieve content");
     bp += strlen (bp);
     if (e->eb_partno) {
-	sprintf (bp, " %s", e->eb_partno);
+	len-=snprintf (bp, len, " %s", e->eb_partno);
 	bp += strlen (bp);
     }
-    sprintf (bp, " by asking %s\n\n%s\n? ",
+    len-=snprintf (bp, len, " by asking %s\n\n%s\n? ",
 		    e->eb_server,
 		    e->eb_subject ? e->eb_subject : e->eb_body);
     if (!getanswer (buffer))
@@ -2733,6 +2735,7 @@
 
     if (status == OK && policy == CACHE_ASK) {
 	char *bp, query[BUFSIZ];
+	int ql=BUFSIZ;
 
 	if (xpid) {
 	    if (xpid < 0)
@@ -2742,23 +2745,24 @@
 	}
 
 	bp = query;
-	if (writing)
-	    sprintf (bp, "Make cached, publically-accessible copy");
-	else {
+	if (writing) {
+	    ql-=snprintf (bp, ql, "Make cached, publically-accessible copy");
+	    bp += strlen (bp);
+	} else {
 	    struct stat st;
 
-	    sprintf (bp, "Use cached copy");
+	    ql-=snprintf (bp, ql, "Use cached copy");
 	    bp += strlen (bp);
 	    if (ct->c_partno) {
-		sprintf (bp, " of content %s", ct->c_partno);
+		ql-=snprintf (bp, ql, " of content %s", ct->c_partno);
 		bp += strlen (bp);
 	    }
 	    stat (buffer, &st);
-	    sprintf (bp, " (size %lu octets)",
+	    ql-=snprintf (bp, ql, " (size %lu octets)",
 			    (unsigned long) st.st_size);
+	    bp += strlen (bp);
 	}
-	bp += strlen (bp);
-	sprintf (bp, "\n    in file %s? ", buffer);
+	ql-=snprintf (bp, ql, "\n    in file %s? ", buffer);
 	if (!getanswer (query))
 	    status = NOTOK;
     }
@@ -2791,7 +2795,7 @@
     if (debugsw)
 	fprintf (stderr, "find_cache_aux %s usemap=%d\n", directory, usemap);
 
-    sprintf (mapfile, "%s/cache.map", directory);
+    snprintf (mapfile, BUFSIZ, "%s/cache.map", directory);
     if (find_cache_aux2 (mapfile, id, mapname) == OK)
 	goto done_map;
 
@@ -2800,7 +2804,7 @@
 	    return NOTOK;
 
 use_raw:
-	sprintf (buffer, "%s/%s", directory, id);
+	snprintf (buffer, BUFSIZ, "%s/%s", directory, id);
 	return OK;
     }
 
@@ -2826,7 +2830,7 @@
 	    partno = 0;
 	}
 
-    sprintf (mapname, "%08x%04x%02x",
+    snprintf (mapname, BUFSIZ, "%08x%04x%02x",
 		(unsigned int) (clock & 0xffffffff),
 		(unsigned int) (pid & 0xffff),
 		(unsigned int) (partno++ & 0xff));
@@ -2852,9 +2856,9 @@
 
 done_map:
     if (*mapname == '/')
-	strcpy (buffer, mapname);
+	strncpy (buffer, mapname, BUFSIZ);
     else
-	sprintf (buffer, "%s/%s", directory, mapname);
+	snprintf (buffer, BUFSIZ, "%s/%s", directory, mapname);
     if (debugsw)
 	fprintf (stderr, "use %s\n", buffer);
 
@@ -2996,7 +3000,7 @@
 	    adios (ct->c_file, "unable to open for writing");
 
 	if (buf[0] == '#' && buf[1] == '<') {
-	    strcpy (content, buf + 2);
+	    strncpy (content, buf + 2, BUFSIZ);
 	    inlineD = 1;
 	    goto rock_and_roll;
 	} else {
@@ -3005,7 +3009,7 @@
 
 	strcpy (content, "text/plain");		/* the directive is implicit */
 	headers = 0;
-	strcpy (buffer, buf[0] != '#' ? buf : buf + 1);
+	strncpy (buffer, buf[0] != '#' ? buf : buf + 1, BUFSIZ);
 	for (;;) {
 	    int	i;
 
@@ -3157,7 +3161,7 @@
 		       ci->ci_type, ci->ci_subtype);
 	    p = ct;
 
-	    sprintf (buffer, "message/external-body; %s", ci->ci_magic);
+	    snprintf (buffer, BUFSIZ, "message/external-body; %s", ci->ci_magic);
 	    free (ci->ci_magic);
 	    ci->ci_magic = NULL;
 
@@ -3214,9 +3218,9 @@
 	 * No [file] argument, so check profile for
 	 * method to compose content.
 	 */
-	sprintf (buffer, "%s-compose-%s/%s", invo_name, ci->ci_type, ci->ci_subtype);
+	snprintf (buffer, BUFSIZ, "%s-compose-%s/%s", invo_name, ci->ci_type, ci->ci_subtype);
 	if ((cp = context_find (buffer)) == NULL || *cp == '\0') {
-	    sprintf (buffer, "%s-compose-%s", invo_name, ci->ci_type);
+	    snprintf (buffer, BUFSIZ, "%s-compose-%s", invo_name, ci->ci_type);
 	    if ((cp = context_find (buffer)) == NULL || *cp == '\0') {
 		content_error (NULL, ct, "don't know how to compose content");
 		done (1);
@@ -3240,7 +3244,7 @@
 
 	if (ci->ci_magic) {
 	    ap = brkstring (ci->ci_magic, " ", "\n");
-	    ap = copyip (ap, arguments);
+	    ap = copyip_n (ap, arguments, MAXARGS);
 	} else {
 	    arguments[0] = "cur";
 	    arguments[1] = NULL;
@@ -3298,7 +3302,7 @@
 		    p->c_type = CT_MESSAGE;
 		    p->c_subtype = MESSAGE_RFC822;
 
-		    sprintf (buffer, "%s/%d", mp->foldpath, msgnum);
+		    snprintf (buffer, BUFSIZ, "%s/%d", mp->foldpath, msgnum);
 		    p->c_file = add (buffer, NULL);
 		    if (listsw && stat (p->c_file, &st) != NOTOK)
 			p->c_end = (long) st.st_size;
@@ -3317,7 +3321,7 @@
 	    ct->c_subtype = MESSAGE_RFC822;
 
 	    msgnum = mp->lowsel;
-	    sprintf (buffer, "%s/%d", mp->foldpath, msgnum);
+	    snprintf (buffer, BUFSIZ, "%s/%d", mp->foldpath, msgnum);
 	    ct->c_file = add (buffer, NULL);
 	    if (listsw && stat (ct->c_file, &st) != NOTOK)
 		ct->c_end = (long) st.st_size;
@@ -3357,7 +3361,7 @@
 	}
 
 	free_ctinfo (ct);
-	sprintf (buffer, "multipart/%s", cp);
+	snprintf (buffer, BUFSIZ, "multipart/%s", cp);
 	if (get_ctinfo (buffer, ct, 0) == NOTOK)
 	    done (1);
 	ct->c_type = CT_MULTIPART;
@@ -3408,12 +3412,12 @@
 
     if (clock == 0) {
 	time (&clock);
-	sprintf (msgid, "<%d.%ld.%%d@%s>\n",
+	snprintf (msgid, BUFSIZ, "<%d.%ld.%%d@%s>\n",
 		(int) getpid(), (long) clock, LocalName());
 	partno = 0;
 	msgfmt = getcpy(msgid);
     }
-    sprintf (msgid, msgfmt, top ? 0 : ++partno);
+    snprintf (msgid, BUFSIZ, msgfmt, top ? 0 : ++partno);
     ct->c_id = getcpy (msgid);
 }
 
@@ -3474,18 +3478,18 @@
 	char partnam[BUFSIZ];
 	struct multipart *m = (struct multipart *) ct->c_ctparams;
 	struct part *part;
+	int len = BUFSIZ;
 
+	pp = partnam;
 	if (ct->c_partno) {
-	    sprintf (partnam, "%s.", ct->c_partno);
-	    pp = partnam + strlen (partnam);
-	} else {
-	    pp = partnam;
+	    len-=snprintf (partnam, len, "%s.", ct->c_partno);
+	    pp += strlen (partnam);
 	}
 
 	for (part = m->mp_parts, partnum = 1; part; part = part->mp_next, partnum++) {
 	    CT p = part->mp_part;
 
-	    sprintf (pp, "%d", partnum);
+	    len-=snprintf (pp, len, "%d", partnum);
 	    p->c_partno = add (partnam, NULL);
 	    if (compose_content (p) == NOTOK)
 		return NOTOK;
@@ -3542,6 +3546,7 @@
 	    char *bp, **ap;
 	    char *vec[4];
 	    FILE *out;
+	    int len;
 
 	    if (!(cp = ci->ci_magic))
 		adios (NULL, "internal error(5)");
@@ -3555,6 +3560,7 @@
 	    /*
 	     * Parse composition string
 	     */
+	    len = BUFSIZ;
 	    for (bp = buffer; *cp; cp++) {
 		if (*cp == '%') {
 		    switch (*++cp) {
@@ -3565,7 +3571,7 @@
 			char *s = "";
 
 			for (ap = ci->ci_attrs, ep = ci->ci_values; *ap; ap++, ep++) {
-			    sprintf (bp, "%s%s=\"%s\"", s, *ap, *ep);
+			    len-=snprintf (bp, len, "%s%s=\"%s\"", s, *ap, *ep);
 			    bp += strlen (bp);
 			    s = " ";
 			}
@@ -3582,12 +3588,12 @@
 			 * insert temporary filename where
 			 * content should be written
 			 */
-			sprintf (bp, "%s", ct->c_file);
+			snprintf (bp, len, "%s", ct->c_file);
 			break;
 
 		    case 's':
 			/* insert content subtype */
-			strcpy (bp, ci->ci_subtype);
+			strncpy (bp, ci->ci_subtype, len);
 			break;
 
 		    case '%':
@@ -3595,15 +3601,24 @@
 			goto raw;
 
 		    default:
-			*bp++ = *--cp;
-			*bp = '\0';
+			if (len>1) {
+				*bp++ = *--cp;
+				*bp = '\0';
+				len--;
+			}
 			continue;
 		    }
-		    bp += strlen (bp);
+		    if (*bp) {
+			len -= strlen (bp);
+			bp += strlen (bp);
+		    }
 		} else {
 raw:
-		*bp++ = *cp;
-		*bp = '\0';
+		    if (len>1) {
+			*bp++ = *cp;
+			*bp = '\0';
+			len--;
+		    }
 		}
 	    }
 
@@ -3910,7 +3925,7 @@
 
 	ap = ci->ci_attrs;
 	ep = ci->ci_values;
-	sprintf (buffer, "boundary=%s%d", prefix, level++);
+	snprintf (buffer, BUFSIZ, "boundary=%s%d", prefix, level++);
 	cp = strchr(*ap++ = add (buffer, NULL), '=');
 	*ap = NULL;
 	*cp++ = '\0';
@@ -3948,7 +3963,7 @@
 
 	putc (';', out);
 	len++;
-	sprintf (buffer, "%s=\"%s\"", *ap, *ep);
+	snprintf (buffer, BUFSIZ, "%s=\"%s\"", *ap, *ep);
 
 	if (len + 1 + (cc = strlen (buffer)) >= CPERLIN) {
 	    fputs ("\n\t", out);
--- nmh-0.27/uip/viamail.c.security	Sat Jul 18 15:25:45 1998
+++ nmh-0.27/uip/viamail.c	Sat Jul 18 16:37:27 1998
@@ -73,7 +73,7 @@
     int delay = 0;
     char *f1 = NULL, *f2 = NULL, *f3 = NULL;
     char *f4 = NULL, *f5 = NULL, *f7 = NULL;
-    char *cp, buf[100], **ap;
+    char *cp, buf[BUFSIZ], **ap;
     char **argp, *arguments[MAXARGS];
 
 #ifdef LOCALE
@@ -87,13 +87,13 @@
     if (context_foil (NULL) == -1)
 	done (1);
 
-    if ((cp = context_find (invo_name))) {
+    if ((cp = context_find (invo_name)) != NULL) {
 	ap = brkstring (cp = getcpy (cp), " ", "\n");
-	ap = copyip (ap, arguments);
+	ap = copyip_n (ap, arguments, MAXARGS);
     } else {
 	ap = arguments;
     }
-    copyip (argv + 1, ap);
+    copyip_n (argv + 1, ap, MAXARGS);
     argp = arguments;
 
     while ((cp = *argp++)) {
@@ -106,7 +106,7 @@
 		adios (NULL, "-%s unknown", cp);
 
 	    case HELPSW: 
-		sprintf (buf, "%s [switches]", invo_name);
+		snprintf (buf, BUFSIZ, "%s [switches]", invo_name);
 		print_help (buf, switches, 1);
 		done (1);
 	    case VERSIONSW:
--- nmh-0.27/uip/mhshowsbr.c.security	Sat Jul 18 15:51:18 1998
+++ nmh-0.27/uip/mhshowsbr.c	Sat Jul 18 16:03:47 1998
@@ -293,12 +293,12 @@
     CI ci = &ct->c_ctinfo;
 
     /* Check for mhn-show-type/subtype */
-    sprintf (buffer, "%s-show-%s/%s", invo_name, ci->ci_type, ci->ci_subtype);
+    snprintf (buffer, BUFSIZ, "%s-show-%s/%s", invo_name, ci->ci_type, ci->ci_subtype);
     if ((cp = context_find (buffer)) && *cp != '\0')
 	return show_content_aux (ct, serial, alternate, cp, NULL);
 
     /* Check for mhn-show-type */
-    sprintf (buffer, "%s-show-%s", invo_name, ci->ci_type);
+    snprintf (buffer, BUFSIZ, "%s-show-%s", invo_name, ci->ci_type);
     if ((cp = context_find (buffer)) && *cp != '\0')
 	return show_content_aux (ct, serial, alternate, cp, NULL);
 
@@ -325,6 +325,7 @@
     char *bp, *file;
     char buffer[BUFSIZ];
     CI ci = &ct->c_ctinfo;
+    int len;
 
     if (!ct->c_ceopenfnx) {
 	if (!alternate)
@@ -345,11 +346,12 @@
     xtty   = 0;
 
     if (cracked) {
-	strcpy (buffer, cp);
+	strncpy (buffer, cp, BUFSIZ);
 	goto got_command;
     }
     buffer[0] = '\0';
 
+    len = BUFSIZ;
     for (bp = buffer; *cp; cp++) {
 	if (*cp == '%') {
 	    switch (*++cp) {
@@ -360,7 +362,7 @@
 		char *s = "";
 
 		for (ap = ci->ci_attrs, ep = ci->ci_values; *ap; ap++, ep++) {
-		    sprintf (bp, "%s%s=\"%s\"", s, *ap, *ep);
+		    len-=snprintf (bp, len, "%s%s=\"%s\"", s, *ap, *ep);
 		    bp += strlen (bp);
 		    s = " ";
 		}
@@ -372,7 +374,7 @@
 		if (ct->c_descr) {
 		    char *s;
 
-		    strcpy (bp, s = trimcpy (ct->c_descr));
+		    strncpy (bp, s = trimcpy (ct->c_descr), len);
 		    free (s);
 		}
 		break;
@@ -390,7 +392,7 @@
 
 	    case 'f':
 		/* insert filename containing content */
-		sprintf (bp, "%s", file);
+		snprintf (bp, len, "%s", file);
 		break;
 
 	    case 'p':
@@ -405,7 +407,7 @@
 
 	    case 's':
 		/* insert subtype of content */
-		strcpy (bp, ci->ci_subtype);
+		strncpy (bp, ci->ci_subtype, len);
 		break;
 
 	    case '%':
@@ -413,15 +415,24 @@
 		goto raw;
 
 	    default:
-		*bp++ = *--cp;
-		*bp = '\0';
+		if (len>1) {
+			*bp++ = *--cp;
+			*bp = '\0';
+			len--;
+		}
 		continue;
 	    }
-	    bp += strlen (bp);
+	    if (*bp) {
+		len -= strlen (bp);
+		bp += strlen (bp);
+	    }
 	} else {
 raw:
-	*bp++ = *cp;
-	*bp = '\0';
+		if (len>1) {
+			*bp++ = *cp;
+			*bp = '\0';
+			len--;
+		}
 	}
     }
 
@@ -430,7 +441,7 @@
 	char term[BUFSIZ];
 
 	strcpy (term, buffer);
-	sprintf (buffer, ct->c_termproc, term);
+	snprintf (buffer, BUFSIZ, ct->c_termproc, term);
     }
 
 got_command:
@@ -556,12 +567,12 @@
     CI ci = &ct->c_ctinfo;
 
     /* Check for mhn-show-type/subtype */
-    sprintf (buffer, "%s-show-%s/%s", invo_name, ci->ci_type, ci->ci_subtype);
+    snprintf (buffer, BUFSIZ, "%s-show-%s/%s", invo_name, ci->ci_type, ci->ci_subtype);
     if ((cp = context_find (buffer)) && *cp != '\0')
 	return show_content_aux (ct, serial, alternate, cp, NULL);
 
     /* Check for mhn-show-type */
-    sprintf (buffer, "%s-show-%s", invo_name, ci->ci_type);
+    snprintf (buffer, BUFSIZ, "%s-show-%s", invo_name, ci->ci_type);
     if ((cp = context_find (buffer)) && *cp != '\0')
 	return show_content_aux (ct, serial, alternate, cp, NULL);
 
@@ -570,7 +581,7 @@
      * if it is not a text part of a multipart/alternative
      */
     if (!alternate || ct->c_subtype == TEXT_PLAIN) {
-	sprintf (buffer, "%%p%s '%%F'", progsw ? progsw :
+	snprintf (buffer, BUFSIZ, "%%p%s '%%F'", progsw ? progsw :
 		moreproc && *moreproc ? moreproc : "more");
 	cp = (ct->c_showproc = add (buffer, NULL));
 	return show_content_aux (ct, serial, alternate, cp, NULL);
@@ -591,12 +602,12 @@
     CI ci = &ct->c_ctinfo;
 
     /* Check for mhn-show-type/subtype */
-    sprintf (buffer, "%s-show-%s/%s", invo_name, ci->ci_type, ci->ci_subtype);
+    snprintf (buffer, BUFSIZ, "%s-show-%s/%s", invo_name, ci->ci_type, ci->ci_subtype);
     if ((cp = context_find (buffer)) && *cp != '\0')
 	return show_multi_aux (ct, serial, alternate, cp);
 
     /* Check for mhn-show-type */
-    sprintf (buffer, "%s-show-%s", invo_name, ci->ci_type);
+    snprintf (buffer, BUFSIZ, "%s-show-%s", invo_name, ci->ci_type);
     if ((cp = context_find (buffer)) && *cp != '\0')
 	return show_multi_aux (ct, serial, alternate, cp);
 
@@ -769,6 +780,7 @@
     struct part *part;
     CI ci = &ct->c_ctinfo;
     CT p;
+    int len;
 
     for (part = m->mp_parts; part; part = part->mp_next) {
 	p = part->mp_part;
@@ -798,6 +810,7 @@
     xtty      = 0;
     buffer[0] = '\0';
 
+    len = BUFSIZ;
     for (bp = buffer; *cp; cp++) {
 	if (*cp == '%') {
 	    switch (*++cp) {
@@ -808,7 +821,7 @@
 		char *s = "";
 
 		for (ap = ci->ci_attrs, ep = ci->ci_values; *ap; ap++, ep++) {
-		    sprintf (bp, "%s%s=\"%s\"", s, *ap, *ep);
+		    len-=snprintf (bp, len, "%s%s=\"%s\"", s, *ap, *ep);
 		    bp += strlen (bp);
 		    s = " ";
 		}
@@ -820,7 +833,7 @@
 		if (ct->c_descr) {
 		    char *s;
 
-		    strcpy (bp, s = trimcpy (ct->c_descr));
+		    strncpy (bp, s = trimcpy (ct->c_descr), len);
 		    free (s);
 		}
 		break;
@@ -843,7 +856,7 @@
 		for (part = m->mp_parts; part; part = part->mp_next) {
 		    p = part->mp_part;
 
-		    sprintf (bp, "%s'%s'", s, p->c_storage);
+		    len-=snprintf (bp, len, "%s'%s'", s, p->c_storage);
 		    bp += strlen (bp);
 		    s = " ";
 		}
@@ -862,7 +875,7 @@
 
 	    case 's':
 		/* insert subtype of content */
-		strcpy (bp, ci->ci_subtype);
+		strncpy (bp, ci->ci_subtype, len);
 		break;
 
 	    case '%':
@@ -870,15 +883,24 @@
 		goto raw;
 
 	    default:
-		*bp++ = *--cp;
-		*bp = '\0';
+		if (len>1) {
+			*bp++ = *--cp;
+			*bp = '\0';
+			len--;
+		}
 		continue;
 	    }
-	    bp += strlen (bp);
+	    if (*bp) {
+		len -= strlen(bp);
+		bp += strlen (bp);
+	    }
 	} else {
 raw:
-	*bp++ = *cp;
-	*bp = '\0';
+		if (len>1) {
+			*bp++ = *cp;
+			*bp = '\0';
+			len--;
+		}
 	}
     }
 
@@ -887,7 +909,7 @@
 	char term[BUFSIZ];
 
 	strcpy (term, buffer);
-	sprintf (buffer, ct->c_termproc, term);
+	snprintf (buffer, BUFSIZ, ct->c_termproc, term);
     }
 
     return show_content_aux2 (ct, serial, alternate, NULL, buffer,
@@ -906,12 +928,12 @@
     CI ci = &ct->c_ctinfo;
 
     /* Check for mhn-show-type/subtype */
-    sprintf (buffer, "%s-show-%s/%s", invo_name, ci->ci_type, ci->ci_subtype);
+    snprintf (buffer, BUFSIZ, "%s-show-%s/%s", invo_name, ci->ci_type, ci->ci_subtype);
     if ((cp = context_find (buffer)) && *cp != '\0')
 	return show_content_aux (ct, serial, alternate, cp, NULL);
 
     /* Check for mhn-show-type */
-    sprintf (buffer, "%s-show-%s", invo_name, ci->ci_type);
+    snprintf (buffer, BUFSIZ, "%s-show-%s", invo_name, ci->ci_type);
     if ((cp = context_find (buffer)) && *cp != '\0')
 	return show_content_aux (ct, serial, alternate, cp, NULL);
 
--- nmh-0.27/uip/mhstoresbr.c.security	Sat Jul 18 16:05:41 1998
+++ nmh-0.27/uip/mhstoresbr.c	Sat Jul 18 16:13:42 1998
@@ -72,7 +72,7 @@
 static int output_content_file (CT, int);
 static int check_folder (char *);
 static int output_content_folder (char *, char *);
-static int parse_format_string (CT, char *, char *, char *);
+static int parse_format_string (CT, char *, char *, int, char *);
 static void get_storeproc (CT);
 static int copy_some_headers (FILE *, CT);
 
@@ -95,7 +95,7 @@
     if (autosw) {
 	dir = getcpy (cwd);
     } else {
-	sprintf (buffer, "%s-storage", invo_name);
+	snprintf (buffer, BUFSIZ, "%s-storage", invo_name);
 	if ((cp = context_find (buffer)) && *cp)
 	    dir = getcpy (cp);
 	else
@@ -530,9 +530,9 @@
     if ((cp = ct->c_storeproc) == NULL || *cp == '\0') {
 	CI ci = &ct->c_ctinfo;
 
-	sprintf (buffer, "%s-store-%s/%s", invo_name, ci->ci_type, ci->ci_subtype);
+	snprintf (buffer, BUFSIZ, "%s-store-%s/%s", invo_name, ci->ci_type, ci->ci_subtype);
 	if ((cp = context_find (buffer)) == NULL || *cp == '\0') {
-	    sprintf (buffer, "%s-store-%s", invo_name, ci->ci_type);
+	    snprintf (buffer, BUFSIZ, "%s-store-%s", invo_name, ci->ci_type);
 	    if ((cp = context_find (buffer)) == NULL || *cp == '\0') {
 		cp = ct->c_type == CT_MESSAGE ? "+" : "%m%P.%s";
 	    }
@@ -572,7 +572,7 @@
     /*
      * Parse and expand the storage formatting string.
      */
-    parse_format_string (ct, cp, buffer, dir);
+    parse_format_string (ct, cp, buffer, BUFSIZ, dir);
 
     /*
      * If formatting begins with '|' or '!', then pass
@@ -928,7 +928,7 @@
  */
 
 static int
-parse_format_string (CT ct, char *cp, char *buffer, char *dir)
+parse_format_string (CT ct, char *cp, char *buffer, int len, char *dir)
 {
     char *bp;
     CI ci = &ct->c_ctinfo;
@@ -938,7 +938,7 @@
      * return (send content to standard output).
      */
     if (!cp[1]) {
-	sprintf (buffer, "-");
+	snprintf(buffer, len, "=");
 	return 0;
     }
 
@@ -951,7 +951,7 @@
      * appropriate directory.
      */
     if (*cp != '/' && *cp != '|' && *cp != '!') {
-	sprintf (buffer, "%s/", dir[1] ? dir : "");
+	len-=snprintf (buffer, len, "%s/", dir[1] ? dir : "");
 	bp += strlen (bp);
     }
 
@@ -966,8 +966,11 @@
 		     * This is only valid for '|' commands.
 		     */
 		    if (buffer[0] != '|' && buffer[0] != '!') {
-			*bp++ = *--cp;
-			*bp = '\0';
+			if (len>1) {
+				*bp++ = *--cp;
+				*bp = '\0';
+				len--;
+			}
 			continue;
 		    } else {
 			char **ap, **ep;
@@ -975,7 +978,7 @@
 
 			for (ap = ci->ci_attrs, ep = ci->ci_values;
 			         *ap; ap++, ep++) {
-			    sprintf (bp, "%s%s=\"%s\"", s, *ap, *ep);
+			    len-=snprintf (bp, len, "%s%s=\"%s\"", s, *ap, *ep);
 			    bp += strlen (bp);
 			    s = " ";
 			}
@@ -984,29 +987,29 @@
 
 		case 'm':
 		    /* insert message number */
-		    sprintf (bp, "%s", r1bindex (ct->c_file, '/'));
+		    snprintf (bp, len, "%s", r1bindex (ct->c_file, '/'));
 		    break;
 
 		case 'P':
 		    /* insert part number with leading dot */
 		    if (ct->c_partno)
-			sprintf (bp, ".%s", ct->c_partno);
+			snprintf (bp, len, ".%s", ct->c_partno);
 		    break;
 
 		case 'p':
 		    /* insert part number withouth leading dot */
 		    if (ct->c_partno)
-			strcpy (bp, ct->c_partno);
+			strncpy (bp, ct->c_partno, len);
 		    break;
 
 		case 't':
 		    /* insert content type */
-		    strcpy (bp, ci->ci_type);
+		    strncpy (bp, ci->ci_type, len);
 		    break;
 
 		case 's':
 		    /* insert content subtype */
-		    strcpy (bp, ci->ci_subtype);
+		    strncpy (bp, ci->ci_subtype, len);
 		    break;
 
 		case '%':
@@ -1014,16 +1017,25 @@
 		    goto raw;
 
 		default:
-		    *bp++ = *--cp;
-		    *bp = '\0';
+		    if (len > 1) {
+			*bp++ = *--cp;
+			*bp = '\0';
+			len--;
+		    }
 		    continue;
 	    }
-	    bp += strlen (bp);
+	    if (*bp) {
+		len -= strlen (bp);
+		bp += strlen (bp);
+	    }
 
 	} else {
 raw:
-	    *bp++ = *cp;
-	    *bp = '\0';
+	    if (len > 1) {
+		*bp++ = *cp;
+		*bp = '\0';
+		len--;
+	    }
 	}
     }