diff --git a/AUTHORS b/AUTHORS
index 4776517..ddafc35 100644
--- a/AUTHORS
+++ b/AUTHORS
@@ -85,6 +85,7 @@ Misc Code Fixes:
 Cheat/exploit fixes:
   Mads Bondo Dydensborg <madsdyd@challenge.dk>
   Zephaniah E. Hull <warp@whitestar.soark.net>
+  Roger Sen Montero <rogersm@tau.uab.es>
 
 Win32 support:
   Marcus Sundberg <mackan@stacken.kth.se>
diff --git a/common/pr_exec.c b/common/pr_exec.c
index 28481e7..4aab75c 100644
--- a/common/pr_exec.c
+++ b/common/pr_exec.c
@@ -269,8 +269,8 @@ void PR_RunError (char *error, ...)
 	va_list		argptr;
 	char		string[1024];
 
-	va_start (argptr,error);
-	vsprintf (string,error,argptr);
+	va_start (argptr, error);
+	vsnprintf (string, sizeof(string) , error, argptr);
 	va_end (argptr);
 
 	PR_PrintStatement (pr_statements + pr_xstatement);
diff --git a/common/sys_linux.c b/common/sys_linux.c
index 449f6e4..b8a9bf0 100644
--- a/common/sys_linux.c
+++ b/common/sys_linux.c
@@ -85,8 +85,8 @@ void Sys_Error (char *error, ...) {
 // change stdin to non blocking
     fcntl (0, F_SETFL, fcntl (0, F_GETFL, 0) & ~O_NDELAY);
     
-    va_start (argptr,error);
-    vsprintf (string,error,argptr);
+    va_start (argptr, error);
+    vsnprintf (string, sizeof(string), error, argptr);
     va_end (argptr);
 	fprintf(stderr, "Error: %s\n", string);
 
@@ -99,8 +99,8 @@ void Sys_Warn (char *warning, ...) {
     va_list     argptr;
     char        string[1024];
     
-    va_start (argptr,warning);
-    vsprintf (string,warning,argptr);
+    va_start (argptr, warning);
+    vsnprintf (string, sizeof(string), warning, argptr);
     va_end (argptr);
 	fprintf(stderr, "Warning: %s", string);
 } 
@@ -160,7 +160,7 @@ void Sys_DebugLog(char *file, char *fmt, ...) {
 	//int fd;
     
 	va_start(argptr, fmt);
-	vsprintf(data, fmt, argptr);
+	vsnprintf(data, sizeof(data), fmt, argptr);
 	va_end(argptr);
 // fd = open(file, O_WRONLY | O_BINARY | O_CREAT | O_APPEND, 0666);
 	stream = fopen(file, "a");
diff --git a/qw_client/cl_main.c b/qw_client/cl_main.c
index f777b67..aa008b5 100644
--- a/qw_client/cl_main.c
+++ b/qw_client/cl_main.c
@@ -1209,8 +1209,8 @@ void Host_EndGame (char *message, ...)
 	va_list		argptr;
 	char		string[1024];
 	
-	va_start (argptr,message);
-	vsprintf (string,message,argptr);
+	va_start (argptr, message);
+	vsnprintf (string, sizeof(string), message, argptr);
 	va_end (argptr);
 	Con_Printf ("\n===========================\n");
 	Con_Printf ("Host_EndGame: %s\n",string);
@@ -1238,8 +1238,8 @@ void Host_Error (char *error, ...)
 		Sys_Error ("Host_Error: recursively entered");
 	inerror = true;
 	
-	va_start (argptr,error);
-	vsprintf (string,error,argptr);
+	va_start (argptr, error);
+	vsnprintf (string, sizeof(string), error, argptr);
 	va_end (argptr);
 	Con_Printf ("Host_Error: %s\n",string);
 	
diff --git a/qw_client/sys_win.c b/qw_client/sys_win.c
index 73a5fdc..ac0716b 100644
--- a/qw_client/sys_win.c
+++ b/qw_client/sys_win.c
@@ -61,7 +61,7 @@ void Sys_DebugLog(char *file, char *fmt, ...)
     int fd;
     
     va_start(argptr, fmt);
-    vsprintf(data, fmt, argptr);
+    vsnprintf(data, sizeof(data), fmt, argptr);
     va_end(argptr);
     fd = open(file, O_WRONLY | O_CREAT | O_APPEND, 0666);
     write(fd, data, strlen(data));
@@ -208,7 +208,7 @@ void Sys_Error (char *error, ...)
 	Host_Shutdown ();
 
 	va_start (argptr, error);
-	vsprintf (text, error, argptr);
+	vsnprintf (text, sizeof(text), error, argptr);
 	va_end (argptr);
 
 	MessageBox(NULL, text, "Error", 0 /* MB_OK */ );
diff --git a/qw_common/common.c b/qw_common/common.c
index 5546b0a..51bed56 100644
--- a/qw_common/common.c
+++ b/qw_common/common.c
@@ -1157,7 +1157,6 @@ va
 
 does a varargs printf into a temp buffer, so I don't need to have
 varargs versions of all text functions.
-FIXME: make this buffer size safe someday
 ============
 */
 char	*va(char *format, ...)
@@ -1166,7 +1165,7 @@ char	*va(char *format, ...)
 	static char		string[1024];
 	
 	va_start (argptr, format);
-	vsprintf (string, format,argptr);
+	vsnprintf (string, sizeof(string), format, argptr);
 	va_end (argptr);
 
 	return string;	
diff --git a/qw_common/console.c b/qw_common/console.c
index 95595bd..d1a5af3 100644
--- a/qw_common/console.c
+++ b/qw_common/console.c
@@ -403,7 +403,7 @@ void Con_DPrintf (char *fmt, ...)
 		return;			// don't confuse non-developers with techie stuff...
 
 	va_start (argptr,fmt);
-	vsprintf (msg,fmt,argptr);
+	vsnprintf (msg, sizeof(msg), fmt, argptr);
 	va_end (argptr);
 	
 	Con_Printf ("%s", msg);
@@ -681,8 +681,8 @@ void Con_SafePrintf (char *fmt, ...)
 	char		msg[1024];
 	int			temp;
 		
-	va_start (argptr,fmt);
-	vsprintf (msg,fmt,argptr);
+	va_start (argptr, fmt);
+	vsnprintf (msg, sizeof(msg), fmt,argptr);
 	va_end (argptr);
 	
 	temp = scr_disabled_for_loading;
diff --git a/qw_common/net_chan.c b/qw_common/net_chan.c
index 2c08fad..b88437b 100644
--- a/qw_common/net_chan.c
+++ b/qw_common/net_chan.c
@@ -145,7 +145,7 @@ void Netchan_OutOfBandPrint (netadr_t adr, char *format, ...)
 	static char		string[8192];		// ??? why static?
 	
 	va_start (argptr, format);
-	vsprintf (string, format,argptr);
+	vsnprintf (string, sizeof(string), format, argptr);
 	va_end (argptr);
 
 
diff --git a/qw_server/sv_main.c b/qw_server/sv_main.c
index 152f379..95a7eea 100644
--- a/qw_server/sv_main.c
+++ b/qw_server/sv_main.c
@@ -130,8 +130,8 @@ void SV_Error (char *error, ...)
 
 	inerror = true;
 
-	va_start (argptr,error);
-	vsprintf (string,error,argptr);
+	va_start (argptr, error);
+	vsnprintf (string, sizeof(string), error, argptr);
 	va_end (argptr);
 
 	Con_Printf ("SV_Error: %s\n",string);
diff --git a/qw_server/sv_send.c b/qw_server/sv_send.c
index 6d0172b..04fb2f4 100644
--- a/qw_server/sv_send.c
+++ b/qw_server/sv_send.c
@@ -102,14 +102,14 @@ Handles cursor positioning, line wrapping, etc
 ================
 */
 #define	MAXPRINTMSG	4096
-// FIXME: make a buffer size safe vsprintf?
+
 void Con_Printf (char *fmt, ...)
 {
 	va_list		argptr;
 	char		msg[MAXPRINTMSG];
 	
-	va_start (argptr,fmt);
-	vsprintf (msg,fmt,argptr);
+	va_start (argptr, fmt);
+	vsnprintf (msg, sizeof(msg), fmt, argptr);
 	va_end (argptr);
 
 	// add to redirected message
@@ -141,8 +141,8 @@ void Con_DPrintf (char *fmt, ...)
 	if (!developer.value)
 		return;
 
-	va_start (argptr,fmt);
-	vsprintf (msg,fmt,argptr);
+	va_start (argptr, fmt);
+	vsnprintf (msg, sizeof(msg), fmt, argptr);
 	va_end (argptr);
 	
 	Con_Printf ("%s", msg);
@@ -179,8 +179,8 @@ void SV_ClientPrintf (client_t *cl, int level, char *fmt, ...)
 	if (level < cl->messagelevel)
 		return;
 	
-	va_start (argptr,fmt);
-	vsprintf (string, fmt,argptr);
+	va_start (argptr, fmt);
+	vsnprintf (string, sizeof(string), fmt, argptr);
 	va_end (argptr);
 
 	SV_PrintToClient(cl, level, string);
@@ -200,8 +200,8 @@ void SV_BroadcastPrintf (int level, char *fmt, ...)
 	client_t	*cl;
 	int			i;
 
-	va_start (argptr,fmt);
-	vsprintf (string, fmt,argptr);
+	va_start (argptr, fmt);
+	vsnprintf (string, sizeof(string), fmt, argptr);
 	va_end (argptr);
 	
 	Sys_Printf ("%s", string);	// print to the console
@@ -231,8 +231,8 @@ void SV_BroadcastCommand (char *fmt, ...)
 	
 	if (!sv.state)
 		return;
-	va_start (argptr,fmt);
-	vsprintf (string, fmt,argptr);
+	va_start (argptr, fmt);
+	vsnprintf (string, sizeof(string), fmt, argptr);
 	va_end (argptr);
 
 	MSG_WriteByte (&sv.reliable_datagram, svc_stufftext);
diff --git a/qw_server/sv_user.c b/qw_server/sv_user.c
index 0a3a823..5b8bfde 100644
--- a/qw_server/sv_user.c
+++ b/qw_server/sv_user.c
@@ -561,7 +561,7 @@ void OutofBandPrintf(netadr_t where, char *fmt, ...)
 	send[3] = 0xff;
 	send[4] = A2C_PRINT;
 	va_start (argptr, fmt);
-	vsprintf (send+5, fmt, argptr);
+	vsnprintf (send+5, sizeof(send) - 5, fmt, argptr);
 	va_end (argptr);
 
 	NET_SendPacket (strlen(send)+1, send, where);
diff --git a/qw_server/sys_unix.c b/qw_server/sys_unix.c
index ec58a65..b6332bd 100644
--- a/qw_server/sys_unix.c
+++ b/qw_server/sys_unix.c
@@ -57,8 +57,8 @@ void Sys_Error (char *error, ...)
 	va_list		argptr;
 	char		string[1024];
 	
-	va_start (argptr,error);
-	vsprintf (string,error,argptr);
+	va_start (argptr, error);
+	vsnprintf (string, sizeof(string), error, argptr);
 	va_end (argptr);
 	printf ("Fatal error: %s\n",string);
 	
diff --git a/qw_server/sys_win.c b/qw_server/sys_win.c
index 6cee9ad..5f0fe8f 100644
--- a/qw_server/sys_win.c
+++ b/qw_server/sys_win.c
@@ -36,8 +36,8 @@ void Sys_Error (char *error, ...)
 	va_list		argptr;
 	char		text[1024];
 
-	va_start (argptr,error);
-	vsprintf (text, error,argptr);
+	va_start (argptr, error);
+	vsnprintf (text, sizeof(text), error, argptr);
 	va_end (argptr);
 
 //    MessageBox(NULL, text, "Error", 0 /* MB_OK */ );
diff --git a/uquake/common.c b/uquake/common.c
index 2ff0cd7..e15baab 100644
--- a/uquake/common.c
+++ b/uquake/common.c
@@ -1096,7 +1096,7 @@ char    *va(char *format, ...)
 	static char             string[1024];
 	
 	va_start (argptr, format);
-	vsprintf (string, format,argptr);
+	vsnprintf (string, sizeof(string), format, argptr);
 	va_end (argptr);
 
 	return string;  
diff --git a/uquake/console.c b/uquake/console.c
index 21a70e3..fe95900 100644
--- a/uquake/console.c
+++ b/uquake/console.c
@@ -358,7 +358,7 @@ void Con_DebugLog(char *file, char *fmt, ...)
     int fd;
     
     va_start(argptr, fmt);
-    vsprintf(data, fmt, argptr);
+    vsnprintf(data, sizeof(data), fmt, argptr);
     va_end(argptr);
     fd = open(file, O_WRONLY | O_CREAT | O_APPEND, 0666);
     write(fd, data, strlen(data));
@@ -374,15 +374,15 @@ Handles cursor positioning, line wrapping, etc
 ================
 */
 #define	MAXPRINTMSG	4096
-// FIXME: make a buffer size safe vsprintf?
+
 void Con_Printf (char *fmt, ...)
 {
 	va_list		argptr;
 	char		msg[MAXPRINTMSG];
 	static qboolean	inupdate;
 	
-	va_start (argptr,fmt);
-	vsprintf (msg,fmt,argptr);
+	va_start (argptr, fmt);
+	vsnprintf (msg, sizeof(msg), fmt, argptr);
 	va_end (argptr);
 	
 // also echo to debugging console
@@ -430,8 +430,8 @@ void Con_DPrintf (char *fmt, ...)
 	if (!developer.value)
 		return;			// don't confuse non-developers with techie stuff...
 
-	va_start (argptr,fmt);
-	vsprintf (msg,fmt,argptr);
+	va_start (argptr, fmt);
+	vsnprintf (msg, sizeof(msg), fmt, argptr);
 	va_end (argptr);
 	
 	Con_Printf ("%s", msg);
@@ -451,8 +451,8 @@ void Con_SafePrintf (char *fmt, ...)
 	char		msg[1024];
 	int			temp;
 		
-	va_start (argptr,fmt);
-	vsprintf (msg,fmt,argptr);
+	va_start (argptr, fmt);
+	vsnprintf (msg, sizeof(msg), fmt, argptr);
 	va_end (argptr);
 
 	temp = scr_disabled_for_loading;
diff --git a/uquake/host.c b/uquake/host.c
index 2a3506d..c97e025 100644
--- a/uquake/host.c
+++ b/uquake/host.c
@@ -95,8 +95,8 @@ void Host_EndGame (char *message, ...)
 	va_list		argptr;
 	char		string[1024];
 	
-	va_start (argptr,message);
-	vsprintf (string,message,argptr);
+	va_start (argptr, message);
+	vsnprintf (string, sizeof(string), message, argptr);
 	va_end (argptr);
 	Con_DPrintf ("Host_EndGame: %s\n",string);
 	
@@ -133,8 +133,8 @@ void Host_Error (char *error, ...)
 	
 	SCR_EndLoadingPlaque ();		// reenable screen updates
 
-	va_start (argptr,error);
-	vsprintf (string,error,argptr);
+	va_start (argptr, error);
+	vsnprintf (string, sizeof(string), error,argptr);
 	va_end (argptr);
 	Con_Printf ("Host_Error: %s\n",string);
 	
@@ -283,8 +283,8 @@ void SV_ClientPrintf (char *fmt, ...)
 	va_list		argptr;
 	char		string[1024];
 	
-	va_start (argptr,fmt);
-	vsprintf (string, fmt,argptr);
+	va_start (argptr, fmt);
+	vsnprintf (string, sizeof(string), fmt, argptr);
 	va_end (argptr);
 	
 	MSG_WriteByte (&host_client->message, svc_print);
@@ -304,8 +304,8 @@ void SV_BroadcastPrintf (char *fmt, ...)
 	char		string[1024];
 	int			i;
 	
-	va_start (argptr,fmt);
-	vsprintf (string, fmt,argptr);
+	va_start (argptr, fmt);
+	vsnprintf (string, sizeof(string), fmt, argptr);
 	va_end (argptr);
 	
 	for (i=0 ; i<svs.maxclients ; i++)
@@ -328,8 +328,8 @@ void Host_ClientCommands (char *fmt, ...)
 	va_list		argptr;
 	char		string[1024];
 	
-	va_start (argptr,fmt);
-	vsprintf (string, fmt,argptr);
+	va_start (argptr, fmt);
+	vsnprintf (string, sizeof(string), fmt, argptr);
 	va_end (argptr);
 	
 	MSG_WriteByte (&host_client->message, svc_stufftext);
diff --git a/uquake/sys_dos.c b/uquake/sys_dos.c
index d60d150..8cb3b23 100644
--- a/uquake/sys_dos.c
+++ b/uquake/sys_dos.c
@@ -522,8 +522,8 @@ void Sys_Printf (char *fmt, ...)
 	va_list		argptr;
 	char		text[1024];
 	
-	va_start (argptr,fmt);
-	vsprintf (text,fmt,argptr);
+	va_start (argptr, fmt);
+	vsnprintf (text, sizeof(text), fmt, argptr);
 	va_end (argptr);
 
 	if (cls.state == ca_dedicated)
@@ -583,8 +583,8 @@ void Sys_Error (char *error, ...)
     va_list     argptr;
     char        string[1024];
     
-    va_start (argptr,error);
-    vsprintf (string,error,argptr);
+    va_start (argptr, error);
+    vsnprintf (string, sizeof(string), error, argptr);
     va_end (argptr);
 
 	Host_Shutdown();
diff --git a/uquake/sys_win.c b/uquake/sys_win.c
index d659a4f..91ccfe9 100644
--- a/uquake/sys_win.c
+++ b/uquake/sys_win.c
@@ -342,13 +342,13 @@ void Sys_Error (char *error, ...)
 	}
 
 	va_start (argptr, error);
-	vsprintf (text, error, argptr);
+	vsnprintf (text, sizeof(text), error, argptr);
 	va_end (argptr);
 
 	if (isDedicated)
 	{
 		va_start (argptr, error);
-		vsprintf (text, error, argptr);
+		vsnprintf (text, sizeof(text), error, argptr);
 		va_end (argptr);
 
 		snprintf(text2, sizeof(text2), "ERROR: %s\n", text);
diff --git a/uquake/sys_wind.c b/uquake/sys_wind.c
index 26f0202..db03bff 100644
--- a/uquake/sys_wind.c
+++ b/uquake/sys_wind.c
@@ -143,8 +143,8 @@ void Sys_Error (char *error, ...)
 	va_list		argptr;
 	char		text[1024];
 
-	va_start (argptr,error);
-	vsprintf (text, error,argptr);
+	va_start (argptr, error);
+	vsnprintf (text, sizeof(text), error, argptr);
 	va_end (argptr);
 
 //    MessageBox(NULL, text, "Error", 0 /* MB_OK */ );