strcat -> strncat

sprintf -> snprintf AKA, really big buffer overflow security fixes. More to come, geez we have holes everywhere.
2025-01-22 16:01:25 +00:00 · 2000-12-05 11:08:30 +00:00 · 2000-12-05 11:08:30 +00:00 · 66e0e31b57
commit 66e0e31b57
parent 2652e77b5f
29 changed files with 83 additions and 86 deletions
--- a/source/cl_cam.c
+++ b/source/cl_cam.c
@ -148,7 +148,7 @@ void Cam_Lock(int playernum)
 {
 	char st[40];
-	sprintf(st, "ptrack %i", playernum);
+	snprintf(st, sizeof(st), "ptrack %i", playernum);
 	MSG_WriteByte (&cls.netchan.message, clc_stringcmd);
 	MSG_WriteString (&cls.netchan.message, st);
 	spec_track = playernum;
--- a/source/cl_main.c
+++ b/source/cl_main.c
@ -328,7 +328,7 @@ void CL_CheckForResend (void)
 	VID_SetCaption (va ("Connecting to %s", cls.servername));
 	Con_Printf ("Connecting to %s...\n", cls.servername);
-	sprintf (data, "%c%c%c%cgetchallenge\n", 255, 255, 255, 255);
+	snprintf (data, sizeof(data), "%c%c%c%cgetchallenge\n", 255, 255, 255, 255);
 	NET_SendPacket (strlen(data), data, adr);
 }
@ -596,9 +596,9 @@ void CL_Color_f (void)
 	if (bottom > 13)
 		bottom = 13;
-	sprintf (num, "%i", top);
+	snprintf (num, sizeof(num), "%i", top);
 	Cvar_Set (topcolor, num);
-	sprintf (num, "%i", bottom);
+	snprintf (num, sizeof(num), "%i", bottom);
 	Cvar_Set (bottomcolor, num);
 }
@ -1171,8 +1171,8 @@ void CL_Init (void)
 	Info_SetValueForKey (cls.userinfo, "bottomcolor", "0", MAX_INFO_STRING);
 	Info_SetValueForKey (cls.userinfo, "rate", "2500", MAX_INFO_STRING);
 	Info_SetValueForKey (cls.userinfo, "msg", "1", MAX_INFO_STRING);
-//	sprintf (st, "%s-%04d", QW_VERSION, build_number());
+//	snprintf (st, sizeof(st), "%s-%04d", QW_VERSION, build_number());
-	sprintf (st, "%s", QW_VERSION);
+	snprintf (st, sizeof(st), "%s", QW_VERSION);
 	Info_SetValueForStarKey (cls.userinfo, "*ver", st, MAX_INFO_STRING);
 	Info_SetValueForStarKey (cls.userinfo, "stdver", QSG_VERSION, MAX_INFO_STRING);
--- a/source/cl_parse.c
+++ b/source/cl_parse.c
@ -231,7 +231,7 @@ qboolean	CL_CheckOrDownloadFile (char *filename)
 	// to the real name when done, so if interrupted
 	// a runt file wont be left
 	COM_StripExtension (cls.downloadname, cls.downloadtempname);
-	strcat (cls.downloadtempname, ".tmp");
+	strncat (cls.downloadtempname,  ".tmp", sizeof(cls.downloadtempname));
 	MSG_WriteByte (&cls.netchan.message, clc_stringcmd);
 	MSG_WriteString (&cls.netchan.message, va("download %s", cls.downloadname));
--- a/source/cl_sys_win.c
+++ b/source/cl_sys_win.c
@ -331,7 +331,7 @@ char *Sys_ConsoleInput (void)
 										if (i>0) {
 											textCopied[i]=0;
 											text[len]=0;
-											strcat(text, textCopied);
+											strncat (text,  textCopied, sizeof(text));
 											len+=dummy;
 											WriteFile(houtput, textCopied, i, &dummy, NULL);
 										}
--- a/source/cmd.c
+++ b/source/cmd.c
@ -317,8 +317,8 @@ void Cmd_StuffCmds_f (void)
 			c = com_cmdline[j];
 			com_cmdline[j] = 0;
-			strcat (build, com_cmdline+i);
+			strncat (build,  com_cmdline+i, sizeof(build));
-			strcat (build, "\n");
+			strncat (build,  "\n", sizeof(build));
 			com_cmdline[j] = c;
 			i = j-1;
 		}
@ -473,11 +473,11 @@ void Cmd_Alias_f (void)
 	c = Cmd_Argc();
 	for (i=2 ; i< c ; i++)
 	{
-		strcat (cmd, Cmd_Argv(i));
+		strncat (cmd,  Cmd_Argv(i), sizeof(cmd));
 		if (i != c)
-			strcat (cmd, " ");
+			strncat (cmd,  " ", sizeof(cmd));
 	}
-	strcat (cmd, "\n");
+	strncat (cmd,  "\n", sizeof(cmd));
 	a->value = CopyString (cmd);
 }
--- a/source/console.c
+++ b/source/console.c
@ -620,10 +620,10 @@ void Con_DrawConsole (int lines)
 			y = x - i - 11;
 			strncpy(dlbar, text, i);
 			dlbar[i] = 0;
-			strcat(dlbar, "...");
+			strncat (dlbar,  "...", sizeof(dlbar));
 		} else
 			strcpy(dlbar, text);
-		strcat(dlbar, ": ");
+		strncat (dlbar,  ": ", sizeof(dlbar));
 		i = strlen(dlbar);
 		dlbar[i++] = '\x80';
 		// where's the dot go?
--- a/source/cvar.c
+++ b/source/cvar.c
@ -241,7 +241,7 @@ void Cvar_SetValue (cvar_t *var, float value)
 	char	val[32];
 	int		i;
-	sprintf (val, "%f", value);
+	snprintf (val, sizeof(val), "%f", value);
 	for (i=strlen(val)-1 ; i>0 && val[i]=='0' && val[i-1]!='.' ; i--)
 	{
 		val[i] = 0;
--- a/source/gl_mesh.c
+++ b/source/gl_mesh.c
@ -329,7 +329,7 @@ void GL_MakeAliasModelDisplayLists (model_t *m, aliashdr_t *hdr)
 	//
 	strcpy (cache, "glquake/");
 	COM_StripExtension (m->name+strlen("progs/"), cache+strlen("glquake/"));
-	strcat (cache, ".ms2");
+	strncat (cache,  ".ms2", sizeof(cache));
 	COM_FOpenFile (cache, &f);	
 	if (f)
--- a/source/gl_model_brush.c
+++ b/source/gl_model_brush.c
@ -79,7 +79,7 @@ void Mod_LoadLighting (lump_t *l)
 	strcpy(litfilename, loadmodel->name);
 	COM_StripExtension(litfilename, litfilename);
-	strcat(litfilename, ".lit");
+	strncat (litfilename,  ".lit", sizeof(litfilename));
 	loadmodel->lightdata = (byte*) COM_LoadHunkFile (litfilename);
 	if (!loadmodel->lightdata) // expand the white lighting data
--- a/source/gl_ngraph.c
+++ b/source/gl_ngraph.c
@ -146,7 +146,7 @@ void R_NetGraph (void)
 	M_DrawTextBox (x, y, NET_TIMINGS/8, NET_GRAPHHEIGHT/8 + 1);
 	y += 8;
-	sprintf(st, "%3i%% packet loss", lost);
+	snprintf(st, sizeof(st), "%3i%% packet loss", lost);
 	Draw_String8 (8, y, st);
 	y += 8;
--- a/source/gl_screen.c
+++ b/source/gl_screen.c
@ -474,7 +474,7 @@ void SCR_DrawFPS (void)
 		lastframetime = t;
 	}
 	/* Misty: I really do need to read about sprintf a bit. This thing keeps chewing on my foot! */
-	sprintf(st, "%-3d FPS", lastfps);
+	snprintf(st, sizeof(st), "%-3d FPS", lastfps);
 	/* Misty: New trick! (for me) the ? makes this work like a if then else - IE: if 
 	cl_hudswap->int_val is not null, do first case, else (else is a : here) do second case.
 	Deek taught me this trick */
@ -511,7 +511,7 @@ void SCR_DrawTime (void)
 	}
 	/* now actually print it to the screen directly below where show_fps is */
-	sprintf (st, "%s", local_time);
+	snprintf (st, sizeof(st), "%s", local_time);
 	x = cl_hudswap->int_val ? vid.width - ((strlen (st) * 8) + 8) : 8;
 	y = vid.height - sb_lines - 16;
 	Draw_String8 (x, y, st);
--- a/source/keys.c
+++ b/source/keys.c
@ -659,9 +659,9 @@ Key_Bind_f ( void )
 	cmd[0] = 0;		// start out with a null string
 	for (i=2 ; i< c ; i++)
 	{
-		strcat (cmd, Cmd_Argv(i));
+		strncat (cmd,  Cmd_Argv(i), sizeof(cmd));
 		if (i != (c-1))
-			strcat (cmd, " ");
+			strncat (cmd,  " ", sizeof(cmd));
 	}
 	Key_SetBinding (b, cmd);
--- a/source/locs.c
+++ b/source/locs.c
@ -31,9 +31,6 @@
 #endif
 #include <limits.h>
 #ifndef WIN32
 #include <sys/param.h>
 #endif
 #include <string.h>
 #include "client.h"
--- a/source/model_alias.c
+++ b/source/model_alias.c
@ -108,7 +108,7 @@ void Mod_LoadAliasModel (model_t *mod, void *buffer)
 		for (len = com_filesize, p = buffer; len; len--, p++)
 			CRC_ProcessByte(&crc, *p);
-		sprintf(st, "%d", (int) crc);
+		snprintf(st, sizeof(st), "%d", (int) crc);
 		Info_SetValueForKey (cls.userinfo, 
 			!strcmp(loadmodel->name, "progs/player.mdl") ? pmodel_name : emodel_name,
 			st, MAX_INFO_STRING);
--- a/source/net_udp.c
+++ b/source/net_udp.c
@ -140,7 +140,7 @@ char	*NET_AdrToString (netadr_t a)
 {
 	static	char	s[64];
-	sprintf (s, "%i.%i.%i.%i:%i", a.ip[0], a.ip[1], a.ip[2], a.ip[3], ntohs(a.port));
+	snprintf (s, sizeof(s), "%i.%i.%i.%i:%i", a.ip[0], a.ip[1], a.ip[2], a.ip[3], ntohs(a.port));
 	return s;
 }
@ -149,7 +149,7 @@ char	*NET_BaseAdrToString (netadr_t a)
 {
 	static	char	s[64];
-	sprintf (s, "%i.%i.%i.%i", a.ip[0], a.ip[1], a.ip[2], a.ip[3]);
+	snprintf (s, sizeof(s), "%i.%i.%i.%i", a.ip[0], a.ip[1], a.ip[2], a.ip[3]);
 	return s;
 }
--- a/source/pr_cmds.c
+++ b/source/pr_cmds.c
@ -65,7 +65,7 @@ char *PF_VarString (int	first)
 	out[0] = 0;
 	for (i=first ; i<pr_argc ; i++)
 	{
-		strcat (out, G_STRING((OFS_PARM0+i*3)));
+		strncat (out,  G_STRING((OFS_PARM0+i*3)), sizeof(out));
 	}
 	return out;
 }
@ -722,7 +722,7 @@ void PF_stuffcmd (void)
 	buf = cl->stufftext_buf;
 	if (strlen(buf) + strlen(str) >= MAX_STUFFTEXT)
 		PR_RunError ("stufftext buffer overflow");
-	strcat (buf, str);
+	strncat (buf,  str, sizeof(buf));
 	for (i = strlen(buf); i >= 0; i--)
 	{
@ -864,11 +864,11 @@ void PF_ftos (void)
 	v = G_FLOAT(OFS_PARM0);
 	if (v == (int)v)
-		sprintf (pr_string_temp, "%d",(int)v);
+		snprintf (pr_string_temp, sizeof(pr_string_temp), "%d",(int)v);
 	else
 // 1999-07-25 FTOS fix by Maddes  start
 	{
-		sprintf (pr_string_temp, "%1f", v);
+		snprintf (pr_string_temp, sizeof(pr_string_temp), "%1f", v);
 		for (i=strlen(pr_string_temp)-1 ; i>0 && pr_string_temp[i]=='0' && pr_string_temp[i-1]!='.' ; i--)
 		{
 			pr_string_temp[i] = 0;
@ -887,7 +887,7 @@ void PF_fabs (void)
 void PF_vtos (void)
 {
-	sprintf (pr_string_temp, "'%5.1f %5.1f %5.1f'", G_VECTOR(OFS_PARM0)[0], G_VECTOR(OFS_PARM0)[1], G_VECTOR(OFS_PARM0)[2]);
+	snprintf (pr_string_temp, sizeof(pr_string_temp), "'%5.1f %5.1f %5.1f'", G_VECTOR(OFS_PARM0)[0], G_VECTOR(OFS_PARM0)[1], G_VECTOR(OFS_PARM0)[2]);
 	G_INT(OFS_RETURN) = PR_SetString(pr_string_temp);
 }
@ -1625,7 +1625,7 @@ void PF_infokey (void)
 			value = strcpy(ov, NET_BaseAdrToString (svs.clients[e1-1].netchan.remote_address));
 		else if (!strcmp(key, "ping")) {
 			int ping = SV_CalcPing (&svs.clients[e1-1]);
-			sprintf(ov, "%d", ping);
+			snprintf(ov, sizeof(ov), "%d", ping);
 			value = ov;
 		} else
 			value = Info_ValueForKey (svs.clients[e1-1].userinfo, key);
--- a/source/pr_edict.c
+++ b/source/pr_edict.c
@ -319,7 +319,7 @@ char *PR_ValueString (etype_t type, eval_t *val)
 		snprintf (line, sizeof(line), "%s", PR_GetString(val->string));
 		break;
 	case ev_entity:	
-		sprintf (line, "entity %i", NUM_FOR_EDICT(PROG_TO_EDICT(val->edict)) );
+		snprintf (line, sizeof(line), "entity %i", NUM_FOR_EDICT(PROG_TO_EDICT(val->edict)) );
 		break;
 	case ev_function:
 		f = pr_functions + val->function;
@ -333,16 +333,16 @@ char *PR_ValueString (etype_t type, eval_t *val)
 		strcpy (line, "void");
 		break;
 	case ev_float:
-		sprintf (line, "%5.1f", val->_float);
+		snprintf (line, sizeof(line), "%5.1f", val->_float);
 		break;
 	case ev_vector:
-		sprintf (line, "'%5.1f %5.1f %5.1f'", val->vector[0], val->vector[1], val->vector[2]);
+		snprintf (line, sizeof(line), "'%5.1f %5.1f %5.1f'", val->vector[0], val->vector[1], val->vector[2]);
 		break;
 	case ev_pointer:
 		strcpy (line, "pointer");
 		break;
 	default:
-		sprintf (line, "bad type %i", type);
+		snprintf (line, sizeof(line), "bad type %i", type);
 		break;
 	}
@ -371,7 +371,7 @@ char *PR_UglyValueString (etype_t type, eval_t *val)
 		snprintf (line, sizeof(line), "%s", PR_GetString(val->string));
 		break;
 	case ev_entity:	
-		sprintf (line, "%i", NUM_FOR_EDICT(PROG_TO_EDICT(val->edict)));
+		snprintf (line, sizeof(line), "%i", NUM_FOR_EDICT(PROG_TO_EDICT(val->edict)));
 		break;
 	case ev_function:
 		f = pr_functions + val->function;
@ -385,13 +385,13 @@ char *PR_UglyValueString (etype_t type, eval_t *val)
 		strcpy (line, "void");
 		break;
 	case ev_float:
-		sprintf (line, "%f", val->_float);
+		snprintf (line, sizeof(line), "%f", val->_float);
 		break;
 	case ev_vector:
-		sprintf (line, "%f %f %f", val->vector[0], val->vector[1], val->vector[2]);
+		snprintf (line, sizeof(line), "%f %f %f", val->vector[0], val->vector[1], val->vector[2]);
 		break;
 	default:
-		sprintf (line, "bad type %i", type);
+		snprintf (line, sizeof(line), "bad type %i", type);
 		break;
 	}
@ -417,7 +417,7 @@ char *PR_GlobalString (int ofs)
 	val = (void *)&pr_globals[ofs];
 	def = ED_GlobalAtOfs(ofs);
 	if (!def)
-		sprintf (line,"%i(???)", ofs);
+		snprintf (line, sizeof(line), "%i(???)", ofs);
 	else
 	{
 		s = PR_ValueString (def->type, val);
@ -426,8 +426,8 @@ char *PR_GlobalString (int ofs)
 	i = strlen(line);
 	for ( ; i<20 ; i++)
-		strcat (line," ");
+		strncat (line, " ", sizeof(line));
-	strcat (line," ");
+	strncat (line, " ", sizeof(line));
 	return line;
 }
@ -440,14 +440,14 @@ char *PR_GlobalStringNoContents (int ofs)
 	def = ED_GlobalAtOfs(ofs);
 	if (!def)
-		sprintf (line,"%i(???)", ofs);
+		snprintf (line, sizeof(line), "%i(???)", ofs);
 	else
-		sprintf (line,"%i(%s)", ofs, PR_GetString(def->s_name));
+		snprintf (line, sizeof(line), "%i(%s)", ofs, PR_GetString(def->s_name));
 	i = strlen(line);
 	for ( ; i<20 ; i++)
-		strcat (line," ");
+		strncat (line, " ", sizeof(line));
-	strcat (line," ");
+	strncat (line, " ", sizeof(line));
 	return line;
 }
@ -902,7 +902,7 @@ if (anglehack)
 		{
 			char	temp[32];
 			strcpy (temp, com_token);
-sprintf (com_token, "0 %s 0", temp);
+			snprintf (com_token, sizeof(com_token), "0 %s 0", temp);
 		}
 		if (!ED_ParseEpair ((void *)&ent->v, key, com_token))
@ -1019,7 +1019,7 @@ void PR_LoadProgs (void)
 	Con_DPrintf ("Programs occupy %iK.\n", com_filesize/1024);
 // add prog crc to the serverinfo
-	sprintf (num, "%i", CRC_Block ((byte *)progs, com_filesize));
+	snprintf (num, sizeof(num), "%i", CRC_Block ((byte *)progs, com_filesize));
 	Info_SetValueForStarKey (svs.info, "*progs", num, MAX_SERVERINFO_STRING);
 // byte swap the header
--- a/source/qargs.c
+++ b/source/qargs.c
@ -115,7 +115,7 @@ void COM_InitArgv (int argc, char **argv)
 		{
 			strncat (com_cmdline, argv[i], len);
 			assert(len - strlen(com_cmdline) > 0);
-			strcat (com_cmdline, " ");
+			strncat (com_cmdline,  " ", sizeof(com_cmdline));
 		}
 		com_cmdline[len - 1] = '\0';
 	}
--- a/source/quakefs.c
+++ b/source/quakefs.c
@ -1145,5 +1145,5 @@ void COM_DefaultExtension (char *path, char *extension)
 		src--;
 	}
-	strcat (path, extension);
+	strncat (path,  extension, sizeof(path));
 }
--- a/source/quakeio.c
+++ b/source/quakeio.c
@ -82,7 +82,7 @@ Qexpand_squiggle(const char *path, char *dest)
 	if (home) {
 		strcpy (dest, home);
-		strcat (dest, path+1); // skip leading ~
+		strncat (dest,  path+1, sizeof(dest)); // skip leading ~
 	} else
 		strcpy (dest,path);
 }
--- a/source/r_misc.c
+++ b/source/r_misc.c
@ -259,7 +259,7 @@ void R_NetGraph (void)
 		i = (cls.netchan.outgoing_sequence-a) & NET_TIMINGSMASK;
 		R_LineGraph (x+w-1-a, y, packet_latency[i]);
 	}
-	sprintf(st, "%3i%% packet loss", lost);
+	snprintf(st, sizeof(st), "%3i%% packet loss", lost);
 	Draw_String8 (8, y2, st);
 }
--- a/source/sbar.c
+++ b/source/sbar.c
@ -506,7 +506,7 @@ void Sbar_SoloScoreboard (void)
 	seconds = cl.time - 60*minutes;
 	tens = seconds / 10;
 	units = seconds - 10*tens;
-	sprintf (str,"Time :%3i:%i%i", minutes, tens, units);
+	snprintf (str, sizeof(str),"Time :%3i:%i%i", minutes, tens, units);
 	Sbar_DrawString (184, 4, str);
 }
@ -566,7 +566,7 @@ void Sbar_DrawInventory (void)
 // ammo counts
 	for (i=0 ; i<4 ; i++)
 	{
-		sprintf (num, "%3i",cl.stats[STAT_SHELLS+i] );
+		snprintf (num, sizeof(num), "%3i",cl.stats[STAT_SHELLS+i] );
 		if (headsup) {
 //			Sbar_DrawSubPic(3, -24, sb_ibar, 3, 0, 42,11);
 			Sbar_DrawSubPic((hudswap) ? 0 : (vid.width-42), -24 - (4-i)*11, sb_ibar, 3+(i*48), 0, 42, 11);
@ -667,7 +667,7 @@ void Sbar_DrawFrags (void)
 	// draw number
 		f = s->frags;
-		sprintf (num, "%3i",f);
+		snprintf (num, sizeof(num), "%3i",f);
 		Sbar_DrawCharacter ( (x+1)*8 , -24, num[0]);
 		Sbar_DrawCharacter ( (x+2)*8 , -24, num[1]);
@ -826,7 +826,7 @@ void Sbar_Draw (void)
 					Sbar_DrawNormal ();
 //					Sbar_DrawString (160-14*8+4,4, "SPECTATOR MODE - TRACK CAMERA");
-				sprintf(st, "Tracking %-.13s, [JUMP] for next",
+				snprintf (st, sizeof(st), "Tracking %-.13s, [JUMP] for next",
 						cl.players[spec_track].name);
 				Sbar_DrawString(0, -8, st);
 			}
@ -959,7 +959,7 @@ void Sbar_TeamOverlay (void)
 		if (pavg < 0 || pavg > 999)
 			pavg = 999;
-		sprintf (num, "%3i/%3i/%3i", plow, pavg, phigh);
+		snprintf (num, sizeof(num), "%3i/%3i/%3i", plow, pavg, phigh);
 		Draw_String8 ( x, y, num);
 	// draw team
@ -968,11 +968,11 @@ void Sbar_TeamOverlay (void)
 		Draw_String8 (x + 104, y, team);
 	// draw total
-		sprintf (num, "%5i", tm->frags);
+		snprintf (num, sizeof(num), "%5i", tm->frags);
 		Draw_String8 (x + 104 + 40, y, num);
 	// draw players
-		sprintf (num, "%5i", tm->players);
+		snprintf (num, sizeof(num), "%5i", tm->players);
 		Draw_String8 (x + 104 + 88, y, num);
 		if (!strncmp(Info_ValueForKey(cl.players[cl.playernum].userinfo,
@ -1072,12 +1072,12 @@ void Sbar_DeathmatchOverlay (int start)
 		p = s->ping;
 		if (p < 0 || p > 999)
 			p = 999;
-		sprintf (num, "%4i", p);
+		snprintf (num, sizeof(num), "%4i", p);
 		Draw_String8 ( x, y, num);
 		// draw pl
 		p = s->pl;
-		sprintf (num, "%3i", p);
+		snprintf (num, sizeof(num), "%3i", p);
 		if (p > 25)
 			Draw_AltString8 ( x+32, y, num);
 		else
@ -1102,7 +1102,7 @@ void Sbar_DeathmatchOverlay (int start)
 		else
 			total = realtime - s->entertime;
 		minutes = (int)total/60;
-		sprintf (num, "%4i", minutes);
+		snprintf (num, sizeof(num), "%4i", minutes);
 		Draw_String8 ( x+64 , y, num);
 		// draw background
@ -1119,7 +1119,7 @@ void Sbar_DeathmatchOverlay (int start)
 	// draw number
 		f = s->frags;
-		sprintf (num, "%3i",f);
+		snprintf (num, sizeof(num), "%3i",f);
 		Draw_Character8 ( x+112 , y, num[0]);
 		Draw_Character8 ( x+120 , y, num[1]);
@ -1231,7 +1231,7 @@ void Sbar_MiniDeathmatchOverlay (void)
 	// draw number
 		f = s->frags;
-		sprintf (num, "%3i",f);
+		snprintf (num, sizeof(num), "%3i",f);
 		Draw_Character8 ( x+8 , y, num[0]);
 		Draw_Character8 ( x+16, y, num[1]);
@ -1285,7 +1285,7 @@ void Sbar_MiniDeathmatchOverlay (void)
 		Draw_String8 (x, y, team);
 	// draw total
-		sprintf (num, "%5i", tm->frags);
+		snprintf (num, sizeof(num), "%5i", tm->frags);
 		Draw_String8 (x + 40, y, num);
 		if (!strncmp(Info_ValueForKey(cl.players[cl.playernum].userinfo,
--- a/source/screen.c
+++ b/source/screen.c
@ -507,7 +507,7 @@ void SCR_DrawFPS (void)
 		lastframetime = t;
 	}
 	/* Misty: I really do need to read about sprintf a bit. This thing keeps chewing on my foot! */
-	sprintf(st, "%-3d FPS", lastfps);
+	snprintf (st, sizeof(st), "%-3d FPS", lastfps);
 	/* Misty: New trick! (for me) the ? makes this work like a if then else - IE: if 
 	cl_hudswap->int_val is not null, do first case, else (else is a : here) do second case.
 	Deek taught me this trick */
@ -544,7 +544,7 @@ void SCR_DrawTime (void)
 	}
 	/* now actually print it to the screen directly below where show_fps is */
-	sprintf (st, "%s", local_time);
+	snprintf (st, sizeof(st), "%s", local_time);
 	x = cl_hudswap->int_val ? vid.width - ((strlen (st) * 8) + 8) : 8;
 	y = vid.height - sb_lines - 16;
 	Draw_String8 (x, y, st);
--- a/source/snd_dma.c
+++ b/source/snd_dma.c
@ -957,7 +957,7 @@ void S_Play(void)
 		if (!strrchr(Cmd_Argv(i), '.'))
 		{
 			strcpy(name, Cmd_Argv(i));
-			strcat(name, ".wav");
+			strncat (name,  ".wav", sizeof(name));
 		}
 		else
 			strcpy(name, Cmd_Argv(i));
@ -981,7 +981,7 @@ void S_PlayVol(void)
 		if (!strrchr(Cmd_Argv(i), '.'))
 		{
 			strcpy(name, Cmd_Argv(i));
-			strcat(name, ".wav");
+			strncat (name,  ".wav", sizeof(name));
 		}
 		else
 			strcpy(name, Cmd_Argv(i));
--- a/source/snd_mem.c
+++ b/source/snd_mem.c
@ -180,7 +180,7 @@ sfxcache_t *S_LoadSound (sfx_t *s)
 //Con_Printf ("S_LoadSound: %x\n", (int)stackbuf);
 // load it in
    strcpy(namebuffer, "sound/");
-    strcat(namebuffer, s->name);
+    strncat (namebuffer,  s->name, sizeof(namebuffer));
 //	Con_Printf ("loading %s\n",namebuffer);
--- a/source/sv_ccmds.c
+++ b/source/sv_ccmds.c
@ -528,7 +528,7 @@ void SV_ConSay_f(void)
 		p[strlen(p)-1] = 0;
 	}
-	strcat(text, p);
+	strncat (text,  p, sizeof(text));
 	for (j = 0, client = svs.clients; j < MAX_CLIENTS; j++, client++)
 	{
@ -774,7 +774,7 @@ void SV_Snap (int uid)
 		return;
 	}
-	sprintf(pcxname, "%d-00.pcx", uid);
+	snprintf (pcxname, sizeof(pcxname), "%d-00.pcx", uid);
 	snprintf (checkname, sizeof(checkname), "%s/snap", com_gamedir);
 	COM_CreatePath (va ("%s/dummy", checkname));
--- a/source/sv_main.c
+++ b/source/sv_main.c
@ -545,7 +545,7 @@ SVC_Log (void)
 				 NET_AdrToString (net_from));
 	// sprintf (data, "stdlog %i\n", svs.logsequence-1);
-	// strcat (data, (char *)svs.log_buf[((svs.logsequence-1)&1)]);
+	// strncat (data,  (char *)svs.log_buf[((svs.logsequence-1)&1)], sizeof(data));
 	snprintf (data, sizeof (data), "stdlog %i\n%s",
 			  svs.logsequence - 1,
 			  (char *) svs.log_buf[((svs.logsequence - 1) & 1)]);
@ -1210,7 +1210,7 @@ SV_SendBan (void)
 	data[0] = data[1] = data[2] = data[3] = 0xff;
 	data[4] = A2C_PRINT;
 	data[5] = 0;
-	strcat (data, "\nbanned.\n");
+	strncat (data,  "\nbanned.\n", sizeof(data));
 	NET_SendPacket (strlen (data), data, net_from);
 }
--- a/source/sv_send.c
+++ b/source/sv_send.c
@ -146,7 +146,7 @@ void Con_Printf (char *fmt, ...)
 	if (sv_redirected) {	// Add to redirected message
 		if (strlen (msg) + strlen (outputbuf) > sizeof (outputbuf) - 1)
 			SV_FlushRedirect ();
-		strcat (outputbuf, msg);
+		strncat (outputbuf,  msg, sizeof(outputbuf));
 		return;
 	} else {				// We want to output to console and maybe logfile
 		if (sv_timestamps && sv_timefmt && sv_timefmt->string && sv_timestamps->int_val)
--- a/source/sv_user.c
+++ b/source/sv_user.c
@ -854,8 +854,8 @@ void SV_Say (qboolean team)
 		p[strlen(p)-1] = 0;
 	}
-	strcat(text, p);
+	strncat (text,  p, sizeof(text));
-	strcat(text, "\n");
+	strncat (text,  "\n", sizeof(text));
 	Sys_Printf ("%s", text);