Index: browser.c
===================================================================
RCS file: /home/roessler/cvs/mutt/browser.c,v
retrieving revision 3.19
diff -p -u -r3.19 browser.c
--- browser.c	6 Oct 2005 06:15:00 -0000	3.19
+++ browser.c	20 May 2006 13:51:42 -0000
@@ -586,7 +586,7 @@ void _mutt_select_file (char *f, size_t 
     else
     {
       if (f[0] == '/')
-	strcpy (LastDir, "/");		/* __STRCPY_CHECKED__ */
+	strfcpy (LastDir, "/", sizeof (LastDir));
       else
 	getcwd (LastDir, sizeof (LastDir));
     }
@@ -695,7 +695,7 @@ void _mutt_select_file (char *f, size_t 
 	    if (mutt_strcmp (state.entry[menu->current].name, "..") == 0)
 	    {
 	      if (mutt_strcmp ("..", LastDir + mutt_strlen (LastDir) - 2) == 0)
-		strcat (LastDir, "/..");	/* __STRCAT_CHECKED__ */
+		safe_strcat (LastDir, sizeof (LastDir), "/..");
 	      else
 	      {
 		char *p = strrchr (LastDir + 1, '/');
@@ -707,7 +707,7 @@ void _mutt_select_file (char *f, size_t 
 		  if (LastDir[0] == '/')
 		    LastDir[1] = 0;
 		  else
-		    strcat (LastDir, "/..");	/* __STRCAT_CHECKED__ */
+		    safe_strcat (LastDir, sizeof (LastDir), "/..");
 		}
 	      }
 	    }
Index: copy.c
===================================================================
RCS file: /home/roessler/cvs/mutt/copy.c,v
retrieving revision 3.27
diff -p -u -r3.27 copy.c
--- copy.c	21 Oct 2005 04:35:37 -0000	3.27
+++ copy.c	20 May 2006 13:51:43 -0000
@@ -160,9 +160,9 @@ mutt_copy_hdr (FILE *in, FILE *out, LOFF
 	  headers[x] = this_one;
 	else 
 	{
-	  safe_realloc (&headers[x], mutt_strlen (headers[x]) + 
-			mutt_strlen (this_one) + sizeof (char));
-	  strcat (headers[x], this_one); /* __STRCAT_CHECKED__ */
+	  size_t newsize = mutt_strlen (headers[x]) + mutt_strlen (this_one) + 1;
+	  safe_realloc (&headers[x], newsize);
+	  safe_strcat (headers[x], newsize, this_one);
 	  FREE (&this_one);
 	}
 
@@ -233,9 +233,9 @@ mutt_copy_hdr (FILE *in, FILE *out, LOFF
 	this_one = safe_strdup (buf);
       else
       {
-	safe_realloc (&this_one,
-		      mutt_strlen (this_one) + mutt_strlen (buf) + sizeof (char));
-	strcat (this_one, buf); /* __STRCAT_CHECKED__ */
+	size_t newsize = mutt_strlen (this_one) + mutt_strlen (buf) + 1;
+	safe_realloc (&this_one, newsize);
+	safe_strcat (this_one, newsize, buf);
       }
     }
   } /* while (ftello (in) < off_end) */
@@ -253,9 +253,9 @@ mutt_copy_hdr (FILE *in, FILE *out, LOFF
       headers[x] = this_one;
     else 
     {
-      safe_realloc (&headers[x], mutt_strlen (headers[x]) + 
-		    mutt_strlen (this_one) + sizeof (char));
-      strcat (headers[x], this_one); /* __STRCAT_CHECKED__ */
+      size_t newsize = mutt_strlen (headers[x]) + mutt_strlen (this_one) + 1;
+      safe_realloc (&headers[x], newsize);
+      safe_strcat (headers[x], newsize, this_one);
       FREE (&this_one);
     }
 
@@ -880,14 +880,14 @@ static void format_address_header (char 
     l = mutt_strlen (buf);
     if (count && linelen + l > 74) 
     {
-      strcpy (cbuf, "\n\t");  	/* __STRCPY_CHECKED__ */
+      strfcpy (cbuf, "\n\t", sizeof (cbuf));
       linelen = l + 8;
     }
     else
     {
       if (a->mailbox)
       {
-	strcpy (cbuf, " ");	/* __STRCPY_CHECKED__ */
+	strfcpy (cbuf, " ", sizeof (cbuf));
 	linelen++;
       }
       linelen += l;
@@ -896,18 +896,18 @@ static void format_address_header (char 
     {
       linelen++;
       buflen++;
-      strcpy (c2buf, ",");	/* __STRCPY_CHECKED__ */
+      strfcpy (c2buf, ",", sizeof (c2buf));
     }
     
     buflen += l + mutt_strlen (cbuf) + mutt_strlen (c2buf);
     safe_realloc (h, buflen);
-    strcat (*h, cbuf);		/* __STRCAT_CHECKED__ */
-    strcat (*h, buf);		/* __STRCAT_CHECKED__ */
-    strcat (*h, c2buf);		/* __STRCAT_CHECKED__ */
+    safe_strcat (*h, buflen, cbuf);
+    safe_strcat (*h, buflen, buf);
+    safe_strcat (*h, buflen, c2buf);
   }
   
   /* Space for this was allocated in the beginning of this function. */
-  strcat (*h, "\n");		/* __STRCAT_CHECKED__ */
+  safe_strcat (*h, buflen, "\n");
 }
 
 static int address_header_decode (char **h)
Index: crypt-gpgme.c
===================================================================
RCS file: /home/roessler/cvs/mutt/crypt-gpgme.c,v
retrieving revision 3.10
diff -p -u -r3.10 crypt-gpgme.c
--- crypt-gpgme.c	21 Oct 2005 04:35:37 -0000	3.10
+++ crypt-gpgme.c	20 May 2006 13:51:45 -0000
@@ -1090,6 +1090,7 @@ static void show_fingerprint (gpgme_key_
   int i, is_pgp;
   char *buf, *p;
   const char *prefix = _("Fingerprint: ");
+  size_t buflen;
 
   if (!key)
     return;
@@ -1098,8 +1099,9 @@ static void show_fingerprint (gpgme_key_
     return;
   is_pgp = (key->protocol == GPGME_PROTOCOL_OpenPGP);
 
-  buf = safe_malloc ( strlen (prefix) + strlen(s) * 4 + 2 );
-  strcpy (buf, prefix); /* __STRCPY_CHECKED__ */
+  buflen = strlen (prefix) + strlen (s) * 4 + 2;
+  buf = safe_malloc (buflen);
+  strfcpy (buf, prefix, buflen);
   p = buf + strlen (buf);
   if (is_pgp && strlen (s) == 40)
     {  /* PGP v4 style formatted. */
@@ -3560,15 +3562,15 @@ static crypt_key_t *crypt_select_key (cr
 
   helpstr[0] = 0;
   mutt_make_help (buf, sizeof (buf), _("Exit  "), menu_to_use, OP_EXIT);
-  strcat (helpstr, buf);	/* __STRCAT_CHECKED__ */
+  safe_strcat (helpstr, sizeof (helpstr), buf);
   mutt_make_help (buf, sizeof (buf), _("Select  "), menu_to_use,
 		  OP_GENERIC_SELECT_ENTRY);
-  strcat (helpstr, buf);	/* __STRCAT_CHECKED__ */
+  safe_strcat (helpstr, sizeof (helpstr), buf);
   mutt_make_help (buf, sizeof (buf), _("Check key  "),
                   menu_to_use, OP_VERIFY_KEY);
-  strcat (helpstr, buf);	/* __STRCAT_CHECKED__ */
+  safe_strcat (helpstr, sizeof (helpstr), buf);
   mutt_make_help (buf, sizeof (buf), _("Help"), menu_to_use, OP_HELP);
-  strcat (helpstr, buf);	/* __STRCAT_CHECKED__ */
+  safe_strcat (helpstr, sizeof (helpstr), buf);
 
   menu = mutt_new_menu ();
   menu->max = i;
@@ -4068,7 +4070,7 @@ static char *find_keys (ADDRESS *to, ADD
       
         keylist_size += mutt_strlen (s) + 4 + 1;
         safe_realloc (&keylist, keylist_size);
-        sprintf (keylist + keylist_used, "%s0x%s%s", /* __SPRINTF_CHECKED__ */
+        snprintf (keylist + keylist_used, keylist_size - keylist_used, "%s0x%s%s",
                  keylist_used ? " " : "",  s,
                  forced_valid? "!":"");
       }
Index: curs_lib.c
===================================================================
RCS file: /home/roessler/cvs/mutt/curs_lib.c,v
retrieving revision 3.24
diff -p -u -r3.24 curs_lib.c
--- curs_lib.c	3 Oct 2005 07:52:00 -0000	3.24
+++ curs_lib.c	20 May 2006 13:51:46 -0000
@@ -479,9 +479,10 @@ int _mutt_enter_fname (const char *promp
   }
   else
   {
-    char *pc = safe_malloc (mutt_strlen (prompt) + 3);
+    size_t plen = mutt_strlen (prompt) + 3;
+    char *pc = safe_malloc (plen);
 
-    sprintf (pc, "%s: ", prompt);	/* __SPRINTF_CHECKED__ */
+    snprintf (pc, plen, "%s: ", prompt);
     mutt_ungetch (ch.op ? 0 : ch.ch, ch.op ? ch.op : 0);
     if (_mutt_get_field (pc, buf, blen, (buffy ? M_EFILE : M_FILE) | M_CLEAR, multiple, files, numfiles)
 	!= 0)
Index: edit.c
===================================================================
RCS file: /home/roessler/cvs/mutt/edit.c,v
retrieving revision 3.9
diff -p -u -r3.9 edit.c
--- edit.c	21 Oct 2005 04:35:37 -0000	3.9
+++ edit.c	20 May 2006 13:51:46 -0000
@@ -162,7 +162,7 @@ be_include_messages (char *msg, char **b
       if (Attribution)
       {
 	mutt_make_string (tmp, sizeof (tmp) - 1, Attribution, Context, Context->hdrs[n]);
-	strcat (tmp, "\n");	/* __STRCAT_CHECKED__ */
+	safe_strcat (tmp, sizeof (tmp), "\n");
       }
 
       if (*bufmax == *buflen)
Index: handler.c
===================================================================
RCS file: /home/roessler/cvs/mutt/handler.c,v
retrieving revision 3.26
diff -p -u -r3.26 handler.c
--- handler.c	16 Dec 2005 18:49:40 -0000	3.26
+++ handler.c	20 May 2006 13:51:47 -0000
@@ -592,7 +592,7 @@ static void enriched_flush (struct enric
       stte->line_max = stte->line_used;
       safe_realloc (&stte->line, stte->line_max + 1);
     }
-    strcat (stte->line, stte->buffer);	/* __STRCAT_CHECKED__ */
+    safe_strcat (stte->line, stte->line_max + 1, stte->buffer);
     stte->line_len += stte->word_len;
     stte->word_len = 0;
     stte->buff_used = 0;
Index: hdrline.c
===================================================================
RCS file: /home/roessler/cvs/mutt/hdrline.c,v
retrieving revision 3.19
diff -p -u -r3.19 hdrline.c
--- hdrline.c	28 Apr 2006 19:52:44 -0000	3.19
+++ hdrline.c	20 May 2006 13:51:47 -0000
@@ -349,7 +349,7 @@ hdr_format_str (char *dest,
 	    {
 	      if (len >= 5)
 	      {
-		sprintf (p, "%c%02u%02u", hdr->zoccident ? '-' : '+',
+		snprintf (p, destlen - (p - dest), "%c%02u%02u", hdr->zoccident ? '-' : '+',
 			 hdr->zhours, hdr->zminutes);
 		p += 5;
 		len -= 5;
Index: init.c
===================================================================
RCS file: /home/roessler/cvs/mutt/init.c,v
retrieving revision 3.54
diff -p -u -r3.54 init.c
--- init.c	18 May 2006 17:35:29 -0000	3.54
+++ init.c	20 May 2006 13:51:49 -0000
@@ -271,7 +271,7 @@ int mutt_extract_token (BUFFER *dest, BU
 	tok->dsize = expnlen + mutt_strlen (tok->dptr) + 1;
 	ptr = safe_malloc (tok->dsize);
 	memcpy (ptr, expn.data, expnlen);
-	strcpy (ptr + expnlen, tok->dptr);	/* __STRCPY_CHECKED__ */
+	strfcpy (ptr + expnlen, tok->dptr, tok->dsize - expnlen);
 	if (tok->destroy)
 	  FREE (&tok->data);
 	tok->data = ptr;
@@ -973,7 +973,7 @@ static int parse_attach_list (BUFFER *bu
 
     len = strlen(a->minor);
     tmpminor = safe_malloc(len+3);
-    strcpy(&tmpminor[1], a->minor); /* __STRCPY_CHECKED__ */
+    strfcpy(&tmpminor[1], a->minor, len+2);
     tmpminor[0] = '^';
     tmpminor[len+1] = '$';
     tmpminor[len+2] = '\0';
@@ -2828,8 +2828,9 @@ void mutt_init (int skip_sys_rc, LIST *c
 #endif /* DOMAIN */
     if (*DOMAIN != '@')
   {
-    Fqdn = safe_malloc (mutt_strlen (DOMAIN) + mutt_strlen (Hostname) + 2);
-    sprintf (Fqdn, "%s.%s", NONULL(Hostname), DOMAIN);	/* __SPRINTF_CHECKED__ */
+    size_t fqdnlen = mutt_strlen (DOMAIN) + mutt_strlen (Hostname) + 2;
+    Fqdn = safe_malloc (fqdnlen);
+    snprintf (Fqdn, fqdnlen, "%s.%s", NONULL(Hostname), DOMAIN);
   }
   else
     Fqdn = safe_strdup(NONULL(Hostname));
Index: keymap.c
===================================================================
RCS file: /home/roessler/cvs/mutt/keymap.c,v
retrieving revision 3.17
diff -p -u -r3.17 keymap.c
--- keymap.c	17 Sep 2005 20:46:10 -0000	3.17
+++ keymap.c	20 May 2006 13:51:49 -0000
@@ -508,7 +508,7 @@ char *km_keyname (int c)
       snprintf (buf, sizeof (buf), "\\%d%d%d", c >> 6, (c >> 3) & 7, c & 7);
   }
   else if (c >= KEY_F0 && c < KEY_F(256)) /* this maximum is just a guess */
-    sprintf (buf, "<F%d>", c - KEY_F0);
+    snprintf (buf, sizeof (buf), "<F%d>", c - KEY_F0);
   else if (IsPrint (c))
     snprintf (buf, sizeof (buf), "%c", (unsigned char) c);
   else
Index: lib.c
===================================================================
RCS file: /home/roessler/cvs/mutt/lib.c,v
retrieving revision 3.20
diff -p -u -r3.20 lib.c
--- lib.c	18 May 2006 17:35:29 -0000	3.20
+++ lib.c	20 May 2006 13:51:50 -0000
@@ -396,8 +396,8 @@ int safe_symlink(const char *oldpath, co
 	(strlen (abs_oldpath) + 1 + strlen (oldpath) + 1 > sizeof abs_oldpath))
     return -1;
   
-    strcat (abs_oldpath, "/");		/* __STRCAT_CHECKED__ */
-    strcat (abs_oldpath, oldpath);	/* __STRCAT_CHECKED__ */
+    safe_strcat (abs_oldpath, sizeof (abs_oldpath), "/");
+    safe_strcat (abs_oldpath, sizeof (abs_oldpath), oldpath);
     if (symlink (abs_oldpath, newpath) == -1)
       return -1;
   }
Index: mutt_idna.c
===================================================================
RCS file: /home/roessler/cvs/mutt/mutt_idna.c,v
retrieving revision 3.14
diff -p -u -r3.14 mutt_idna.c
--- mutt_idna.c	18 May 2006 17:35:29 -0000	3.14
+++ mutt_idna.c	20 May 2006 13:51:50 -0000
@@ -164,8 +164,9 @@ int mutt_addrlist_to_idna (ADDRESS *a, c
     }
     else
     {
-      safe_realloc (&a->mailbox, mutt_strlen (user) + mutt_strlen (tmp) + 2);
-      sprintf (a->mailbox, "%s@%s", NONULL(user), NONULL(tmp)); /* __SPRINTF_CHECKED__ */
+      size_t boxlen = mutt_strlen (user) + mutt_strlen (tmp) + 2;
+      safe_realloc (&a->mailbox, boxlen);
+      snprintf (a->mailbox, boxlen, "%s@%s", NONULL(user), NONULL(tmp));
     }
     
     FREE (&domain);
@@ -193,8 +194,9 @@ int mutt_addrlist_to_local (ADDRESS *a)
     
     if (mutt_idna_to_local (domain, &tmp, 0) == 0)
     {
-      safe_realloc (&a->mailbox, mutt_strlen (user) + mutt_strlen (tmp) + 2);
-      sprintf (a->mailbox, "%s@%s", NONULL (user), NONULL (tmp)); /* __SPRINTF_CHECKED__ */
+      size_t boxlen = mutt_strlen (user) + mutt_strlen (tmp) + 2;
+      safe_realloc (&a->mailbox, boxlen);
+      snprintf (a->mailbox, boxlen, "%s@%s", NONULL (user), NONULL (tmp));
     }
     
     FREE (&domain);
@@ -214,6 +216,7 @@ const char *mutt_addr_for_display (ADDRE
    * the mbox_to_udomain(), but for safety... */
   char *domain = NULL;
   char *user = NULL;
+  size_t bufflen;
   
   FREE (&buff);
   
@@ -227,8 +230,9 @@ const char *mutt_addr_for_display (ADDRE
     return a->mailbox;
   }
   
-  safe_realloc (&buff, mutt_strlen (tmp) + mutt_strlen (user) + 2);
-  sprintf (buff, "%s@%s", NONULL(user), NONULL(tmp)); /* __SPRINTF_CHECKED__ */
+  bufflen = mutt_strlen (tmp) + mutt_strlen (user) + 2;
+  safe_realloc (&buff, bufflen);
+  snprintf (buff, bufflen, "%s@%s", NONULL(user), NONULL(tmp));
   FREE (&tmp);
   FREE (&user);
   FREE (&domain);
Index: parse.c
===================================================================
RCS file: /home/roessler/cvs/mutt/parse.c,v
retrieving revision 3.23
diff -p -u -r3.23 parse.c
--- parse.c	28 Apr 2006 19:52:45 -0000	3.23
+++ parse.c	20 May 2006 13:51:51 -0000
@@ -123,9 +123,10 @@ static LIST *mutt_parse_references (char
       m = strlen (s);
       if (s[m - 1] == '>')
       {
-	new = safe_malloc (sizeof (char) * (n + m + 1));
-	strcpy (new, o);	/* __STRCPY_CHECKED__ */
-	strcpy (new + n, s);	/* __STRCPY_CHECKED__ */
+	size_t nlen = n + m + 1;
+	new = safe_malloc (nlen);
+	strfcpy (new, o, nlen);
+	strfcpy (new + n, s, nlen - n);
       }
     }
     if (new)
Index: pgp.c
===================================================================
RCS file: /home/roessler/cvs/mutt/pgp.c,v
retrieving revision 3.61
diff -p -u -r3.61 pgp.c
--- pgp.c	22 Nov 2005 12:31:58 -0000	3.61
+++ pgp.c	20 May 2006 13:51:51 -0000
@@ -822,7 +822,7 @@ BODY *pgp_decrypt_part (BODY *a, STATE *
   {
     len = mutt_strlen (buf);
     if (len > 1 && buf[len - 2] == '\r')
-      strcpy (buf + len - 2, "\n");	/* __STRCPY_CHECKED__ */
+      strfcpy (buf + len - 2, "\n", sizeof (buf) - len + 2);
     fputs (buf, fpout);
   }
 
@@ -1221,8 +1221,8 @@ char *pgp_findKeys (ADDRESS *to, ADDRESS
   bypass_selection:
     keylist_size += mutt_strlen (keyID) + 4;
     safe_realloc (&keylist, keylist_size);
-    sprintf (keylist + keylist_used, "%s0x%s", keylist_used ? " " : "",	/* __SPRINTF_CHECKED__ */
-	     keyID);
+    snprintf (keylist + keylist_used, keylist_size - keylist_used,
+	     "%s0x%s", keylist_used ? " " : "", keyID);
     keylist_used = mutt_strlen (keylist);
 
     pgp_free_key (&key);
Index: pgpinvoke.c
===================================================================
RCS file: /home/roessler/cvs/mutt/pgpinvoke.c,v
retrieving revision 3.8
diff -p -u -r3.8 pgpinvoke.c
--- pgpinvoke.c	17 Sep 2005 20:46:10 -0000	3.8
+++ pgpinvoke.c	20 May 2006 13:51:52 -0000
@@ -345,7 +345,7 @@ pid_t pgp_invoke_list_keys (FILE **pgpin
   {
     mutt_quote_filename (quoted, sizeof (quoted), (char *) hints->data);
     snprintf (tmpuids, sizeof (tmpuids), "%s %s", uids, quoted);
-    strcpy (uids, tmpuids);	/* __STRCPY_CHECKED__ */
+    strfcpy (uids, tmpuids, sizeof (uids));
   }
 
   return pgp_invoke (pgpin, pgpout, pgperr, pgpinfd, pgpoutfd, pgperrfd,
Index: pgpkey.c
===================================================================
RCS file: /home/roessler/cvs/mutt/pgpkey.c,v
retrieving revision 3.11
diff -p -u -r3.11 pgpkey.c
--- pgpkey.c	17 Sep 2005 20:46:11 -0000	3.11
+++ pgpkey.c	20 May 2006 13:51:52 -0000
@@ -512,14 +512,14 @@ static pgp_key_t pgp_select_key (pgp_key
 
   helpstr[0] = 0;
   mutt_make_help (buf, sizeof (buf), _("Exit  "), MENU_PGP, OP_EXIT);
-  strcat (helpstr, buf);	/* __STRCAT_CHECKED__ */
+  safe_strcat (helpstr, sizeof (helpstr), buf);
   mutt_make_help (buf, sizeof (buf), _("Select  "), MENU_PGP,
 		  OP_GENERIC_SELECT_ENTRY);
-  strcat (helpstr, buf);	/* __STRCAT_CHECKED__ */
+  safe_strcat (helpstr, sizeof (helpstr), buf);
   mutt_make_help (buf, sizeof (buf), _("Check key  "), MENU_PGP, OP_VERIFY_KEY);
-  strcat (helpstr, buf);	/* __STRCAT_CHECKED__ */
+  safe_strcat (helpstr, sizeof (helpstr), buf);
   mutt_make_help (buf, sizeof (buf), _("Help"), MENU_PGP, OP_HELP);
-  strcat (helpstr, buf);	/* __STRCAT_CHECKED__ */
+  safe_strcat (helpstr, sizeof (helpstr), buf);
 
   menu = mutt_new_menu ();
   menu->max = i;
Index: pop.c
===================================================================
RCS file: /home/roessler/cvs/mutt/pop.c,v
retrieving revision 3.9
diff -p -u -r3.9 pop.c
--- pop.c	21 Oct 2005 04:35:37 -0000	3.9
+++ pop.c	20 May 2006 13:51:52 -0000
@@ -536,8 +536,9 @@ void pop_fetch_mail (void)
 {
   char buffer[LONG_STRING];
   char msgbuf[SHORT_STRING];
-  char *url, *p;
+  char *url;
   int i, delanswer, last = 0, msgs, bytes, rset = 0, ret;
+  size_t urllen;
   CONNECTION *conn;
   CONTEXT ctx;
   MESSAGE *msg = NULL;
@@ -550,13 +551,11 @@ void pop_fetch_mail (void)
     return;
   }
 
-  url = p = safe_calloc (strlen (PopHost) + 7, sizeof (char));
+  urllen = strlen (PopHost) + 7;
+  url = safe_calloc (urllen, sizeof (char));
   if (url_check_scheme (PopHost) == U_UNKNOWN)
-  {
-    strcpy (url, "pop://");	/* __STRCPY_CHECKED__ */
-    p = strchr (url, '\0');
-  }
-  strcpy (p, PopHost);		/* __STRCPY_CHECKED__ */
+    strfcpy (url, "pop://", urllen);
+  safe_strcat (url, urllen, PopHost);
 
   ret = pop_parse_path (url, &acct);
   FREE (&url);
Index: pop_auth.c
===================================================================
RCS file: /home/roessler/cvs/mutt/pop_auth.c,v
retrieving revision 3.7
diff -p -u -r3.7 pop_auth.c
--- pop_auth.c	17 Sep 2005 20:46:11 -0000	3.7
+++ pop_auth.c	20 May 2006 13:51:52 -0000
@@ -192,7 +192,7 @@ static pop_auth_res_t pop_auth_apop (POP
   MD5Final (digest, &mdContext);
 
   for (i = 0; i < sizeof (digest); i++)
-    sprintf (hash + 2 * i, "%02x", digest[i]);
+    snprintf (hash + 2 * i, sizeof (hash) - (2 * i), "%02x", digest[i]);
 
   /* Send APOP command to server */
   snprintf (buf, sizeof (buf), "APOP %s %s\r\n", pop_data->conn->account.user, hash);
Index: pop_lib.c
===================================================================
RCS file: /home/roessler/cvs/mutt/pop_lib.c,v
retrieving revision 3.13
diff -p -u -r3.13 pop_lib.c
--- pop_lib.c	28 Apr 2006 08:35:03 -0000	3.13
+++ pop_lib.c	20 May 2006 13:51:53 -0000
@@ -117,19 +117,20 @@ static int fetch_capa (char *line, void 
 static int fetch_auth (char *line, void *data)
 {
   POP_DATA *pop_data = (POP_DATA *)data;
+  size_t listlen;
 
   if (!pop_data->auth_list)
   {
-    pop_data->auth_list = safe_malloc (strlen (line) + 1);
+    pop_data->auth_list = safe_malloc (listlen = strlen (line) + 1);
     *pop_data->auth_list = '\0';
   }
   else
   {
-    safe_realloc (&pop_data->auth_list,
-	    strlen (pop_data->auth_list) + strlen (line) + 2);
-    strcat (pop_data->auth_list, " ");	/* __STRCAT_CHECKED__ */
+    listlen = strlen (pop_data->auth_list) + strlen (line) + 2;
+    safe_realloc (&pop_data->auth_list, listlen);
+    safe_strcat (pop_data->auth_list, listlen, " ");
   }
-  strcat (pop_data->auth_list, line);	/* __STRCAT_CHECKED__ */
+  safe_strcat (pop_data->auth_list, listlen, line);
 
   return 0;
 }
Index: query.c
===================================================================
RCS file: /home/roessler/cvs/mutt/query.c,v
retrieving revision 3.11
diff -p -u -r3.11 query.c
--- query.c	3 Mar 2006 09:55:46 -0000	3.11
+++ query.c	20 May 2006 13:51:53 -0000
@@ -493,7 +493,7 @@ static void query_menu (char *buf, size_
 	  {
 	    ADDRESS *tmpa = result_to_addr (QueryTable[i].data);
 	    mutt_addrlist_to_local (tmpa);
-	    strcat (buf, ", ");	/* __STRCAT_CHECKED__ */
+	    safe_strcat (buf, buflen, ", ");
 	    rfc822_write_address ((char *) buf + curpos + 1, buflen - curpos - 1,
 				  tmpa, 0);
 	    curpos = mutt_strlen (buf);
Index: rfc2231.c
===================================================================
RCS file: /home/roessler/cvs/mutt/rfc2231.c,v
retrieving revision 3.8
diff -p -u -r3.8 rfc2231.c
--- rfc2231.c	18 May 2006 17:35:30 -0000	3.8
+++ rfc2231.c	20 May 2006 13:51:53 -0000
@@ -287,7 +287,7 @@ static void rfc2231_join_continuations (
       vl = strlen (par->value);
       
       safe_realloc (&value, l + vl + 1);
-      strcpy (value + l, par->value);	/* __STRCPY_CHECKED__ */
+      strfcpy (value + l, par->value, vl + 1);
       l += vl;
 
       q = par->next;
@@ -348,14 +348,15 @@ int rfc2231_encode_string (char **pd)
 
   if (encode)
   {
-    e = safe_malloc (dlen + 2*ext + strlen (charset) + 3);
-    sprintf (e, "%s''", charset);	/* __SPRINTF_CHECKED__ */
+    size_t elen = dlen + 2*ext + strlen (charset) + 3;
+    e = safe_malloc (elen);
+    snprintf (e, elen, "%s''", charset);
     t = e + strlen (e);
     for (s = d, slen = dlen; slen; s++, slen--)
       if (*s < 0x20 || *s >= 0x7f ||
 	  strchr (MimeSpecials, *s) || strchr ("*'%", *s))
       {
-	sprintf (t, "%%%02X", (unsigned char)*s);
+	snprintf (t, elen - (t - e), "%%%02X", (unsigned char)*s);
 	t += 3;
       }
       else
Index: rfc822.c
===================================================================
RCS file: /home/roessler/cvs/mutt/rfc822.c,v
retrieving revision 3.10
diff -p -u -r3.10 rfc822.c
--- rfc822.c	18 May 2006 17:35:30 -0000	3.10
+++ rfc822.c	20 May 2006 13:51:54 -0000
@@ -513,8 +513,9 @@ void rfc822_qualify (ADDRESS *addr, cons
   for (; addr; addr = addr->next)
     if (!addr->group && addr->mailbox && strchr (addr->mailbox, '@') == NULL)
     {
-      p = safe_malloc (mutt_strlen (addr->mailbox) + mutt_strlen (host) + 2);
-      sprintf (p, "%s@%s", addr->mailbox, host);	/* __SPRINTF_CHECKED__ */
+      size_t plen = mutt_strlen (addr->mailbox) + mutt_strlen (host) + 2;
+      p = safe_malloc (plen);
+      snprintf (p, plen, "%s@%s", addr->mailbox, host);
       FREE (&addr->mailbox);
       addr->mailbox = p;
     }
Index: send.c
===================================================================
RCS file: /home/roessler/cvs/mutt/send.c,v
retrieving revision 3.45
diff -p -u -r3.45 send.c
--- send.c	9 Jan 2006 19:43:59 -0000	3.45
+++ send.c	20 May 2006 13:51:55 -0000
@@ -614,9 +614,10 @@ void mutt_make_misc_reply_headers (ENVEL
    */
   if (curenv->real_subj)
   {
+    size_t sublen = mutt_strlen (curenv->real_subj) + 5;
     FREE (&env->subject);
-    env->subject = safe_malloc (mutt_strlen (curenv->real_subj) + 5);
-    sprintf (env->subject, "Re: %s", curenv->real_subj);	/* __SPRINTF_CHECKED__ */
+    env->subject = safe_malloc (sublen);
+    snprintf (env->subject, sublen, "Re: %s", curenv->real_subj);
   }
   else if (!env->subject)
     env->subject = safe_strdup ("Re: your mail");
@@ -944,9 +945,10 @@ ADDRESS *mutt_default_from (void)
     adr = rfc822_cpy_adr_real (From);
   else if (option (OPTUSEDOMAIN))
   {
+    size_t boxlen = mutt_strlen (Username) + mutt_strlen (fqdn) + 2;
     adr = rfc822_new_address ();
-    adr->mailbox = safe_malloc (mutt_strlen (Username) + mutt_strlen (fqdn) + 2);
-    sprintf (adr->mailbox, "%s@%s", NONULL(Username), NONULL(fqdn));	/* __SPRINTF_CHECKED__ */
+    adr->mailbox = safe_malloc (boxlen);
+    snprintf (adr->mailbox, boxlen, "%s@%s", NONULL(Username), NONULL(fqdn));
   }
   else
   {
Index: sendlib.c
===================================================================
RCS file: /home/roessler/cvs/mutt/sendlib.c,v
retrieving revision 3.38
diff -p -u -r3.38 sendlib.c
--- sendlib.c	18 May 2006 17:35:30 -0000	3.38
+++ sendlib.c	20 May 2006 13:51:56 -0000
@@ -140,7 +140,7 @@ static void encode_quoted (FGETCONV * fc
       {
         if (linelen < 74)
 	{
-          sprintf (line+linelen-1, "=%2.2X", (unsigned char) line[linelen-1]);
+          snprintf (line+linelen-1, sizeof (line) - linelen + 1, "=%2.2X", (unsigned char) line[linelen-1]);
           fputs (line, fout);
         }
         else
@@ -174,7 +174,7 @@ static void encode_quoted (FGETCONV * fc
         fputc ('\n', fout);
         linelen = 0;
       }
-      sprintf (line+linelen,"=%2.2X", (unsigned char) c);
+      snprintf (line+linelen, sizeof (line) - linelen, "=%2.2X", (unsigned char) c);
       linelen += 3;
     }
     else
@@ -193,7 +193,7 @@ static void encode_quoted (FGETCONV * fc
     {
       /* take care of trailing whitespace */
       if (linelen < 74)
-        sprintf (line+linelen-1, "=%2.2X", (unsigned char) line[linelen-1]);
+        snprintf (line+linelen-1, sizeof (line) - linelen + 1, "=%2.2X", (unsigned char) line[linelen-1]);
       else
       {
         savechar = line[linelen-1];
@@ -201,7 +201,7 @@ static void encode_quoted (FGETCONV * fc
         line[linelen] = 0;
         fputs (line, fout);
         fputc ('\n', fout);
-        sprintf (line, "=%2.2X", (unsigned char) savechar);
+        snprintf (line, sizeof (line), "=%2.2X", (unsigned char) savechar);
       }
     }
     else
@@ -1660,6 +1660,7 @@ static void encode_headers (LIST *h)
   char *tmp;
   char *p;
   int i;
+  size_t dlen;
   
   for (; h; h = h->next)
   {
@@ -1674,9 +1675,10 @@ static void encode_headers (LIST *h)
       continue;
     
     rfc2047_encode_string (&tmp);
-    safe_realloc (&h->data, mutt_strlen (h->data) + 2 + mutt_strlen (tmp) + 1);
+    dlen = mutt_strlen (h->data) + 2 + mutt_strlen (tmp) + 1;
+    safe_realloc (&h->data, dlen);
 
-    sprintf (h->data + i, ": %s", NONULL (tmp));  /* __SPRINTF_CHECKED__ */
+    snprintf (h->data + i, dlen - i, ": %s", NONULL (tmp));
     
     FREE (&tmp);
   }
@@ -2024,9 +2026,9 @@ mutt_invoke_sendmail (ADDRESS *from,	/* 
    string. */
 char *mutt_append_string (char *a, const char *b)
 {
-  size_t la = mutt_strlen (a);
-  safe_realloc (&a, la + mutt_strlen (b) + 1);
-  strcpy (a + la, b);	/* __STRCPY_CHECKED__ */
+  size_t la = mutt_strlen (a), lb = mutt_strlen (b);
+  safe_realloc (&a, la + lb + 1);
+  strfcpy (a + la, b, lb + 1);
   return (a);
 }
 
Index: smime.c
===================================================================
RCS file: /home/roessler/cvs/mutt/smime.c,v
retrieving revision 3.48
diff -p -u -r3.48 smime.c
--- smime.c	16 Dec 2005 18:49:40 -0000	3.48
+++ smime.c	20 May 2006 13:51:57 -0000
@@ -429,12 +429,12 @@ char* smime_ask_for_key (char *prompt, c
     /* Make Helpstring */
     helpstr[0] = 0;
     mutt_make_help (buf, sizeof (buf), _("Exit  "), MENU_SMIME, OP_EXIT);
-    strcat (helpstr, buf);	/* __STRCAT_CHECKED__ */
+    safe_strcat (helpstr, sizeof (helpstr), buf);
     mutt_make_help (buf, sizeof (buf), _("Select  "), MENU_SMIME,
         OP_GENERIC_SELECT_ENTRY);
-    strcat (helpstr, buf);	/* __STRCAT_CHECKED__ */
+    safe_strcat (helpstr, sizeof (helpstr), buf);
     mutt_make_help (buf, sizeof(buf), _("Help"), MENU_SMIME, OP_HELP);
-    strcat (helpstr, buf);	/* __STRCAT_CHECKED__ */
+    safe_strcat (helpstr, sizeof (helpstr), buf);
   
     /* Create the menu */
     menu = mutt_new_menu();
@@ -465,7 +465,7 @@ char* smime_ask_for_key (char *prompt, c
     }
     if (hash) {
       fname = safe_malloc(13); /* Hash + '.' + Suffix + \0 */
-      sprintf(fname, "%.8x.%i", Table[cur].hash, Table[cur].suffix);
+      snprintf(fname, 13, "%.8x.%i", Table[cur].hash, Table[cur].suffix);
     }
     else fname = NULL;
   
@@ -802,7 +802,7 @@ char *smime_findKeys (ADDRESS *to, ADDRE
     
     keylist_size += mutt_strlen (keyID) + 2;
     safe_realloc (&keylist, keylist_size);
-    sprintf (keylist + keylist_used, "%s\n", keyID);	/* __SPRINTF_CHECKED__ */
+    snprintf (keylist + keylist_used, keylist_size - keylist_used, "%s\n", keyID);
     keylist_used = mutt_strlen (keylist);
 
     rfc822_free_address (&addr);
Index: imap/imap.c
===================================================================
RCS file: /home/roessler/cvs/mutt/imap/imap.c,v
retrieving revision 3.81
diff -p -u -r3.81 imap.c
--- imap/imap.c	18 May 2006 18:35:10 -0000	3.81
+++ imap/imap.c	20 May 2006 13:51:58 -0000
@@ -262,7 +262,7 @@ void imap_expunge_mailbox (IMAP_DATA* id
 #if USE_HCACHE
       if (hc)
       {
-        sprintf (uidbuf, "/%u", HEADER_DATA(h)->uid);
+        snprintf (uidbuf, sizeof (uidbuf), "/%u", HEADER_DATA(h)->uid);
         mutt_hcache_delete (hc, uidbuf, imap_hcache_keylen);
       }
 #endif
@@ -1148,7 +1148,7 @@ int imap_sync_mailbox (CONTEXT* ctx, int
 #if USE_HCACHE
     if (hc && h->deleted)
     {
-      sprintf (uidbuf, "/%u", HEADER_DATA(h)->uid);
+      snprintf (uidbuf, sizeof (uidbuf), "/%u", HEADER_DATA(h)->uid);
       mutt_hcache_delete (hc, uidbuf, imap_hcache_keylen);
     }
 #endif
Index: imap/message.c
===================================================================
RCS file: /home/roessler/cvs/mutt/imap/message.c,v
retrieving revision 3.50
diff -p -u -r3.50 message.c
--- imap/message.c	18 May 2006 18:35:10 -0000	3.50
+++ imap/message.c	20 May 2006 13:51:59 -0000
@@ -158,7 +158,7 @@ int imap_read_headers (IMAP_DATA* idata,
         else if (mfhrc < 0)
           break;
 
-        sprintf(uid_buf, "/%u", h.data->uid); /* XXX --tg 21:41 04-07-11 */
+        snprintf(uid_buf, sizeof (uid_buf), "/%u", h.data->uid); /* XXX --tg 21:41 04-07-11 */
         uid_validity = (unsigned int*)mutt_hcache_fetch (hc, uid_buf, &imap_hcache_keylen);
 
         if (uid_validity != NULL && *uid_validity == idata->uid_validity)
@@ -287,7 +287,7 @@ int imap_read_headers (IMAP_DATA* idata,
       ctx->hdrs[msgno]->content->length = h.content_length;
 
 #if USE_HCACHE
-      sprintf(uid_buf, "/%u", h.data->uid);
+      snprintf(uid_buf, sizeof (uid_buf), "/%u", h.data->uid);
       mutt_hcache_store(hc, uid_buf, ctx->hdrs[msgno], idata->uid_validity, &imap_hcache_keylen);
 #endif /* USE_HCACHE */