1 files changed, 6 insertions, 4 deletions

diff --git a/src/tool_dirhie.c b/src/tool_dirhie.c
index 4ba1c4375..5965f7a74 100644
--- a/src/tool_dirhie.c
+++ b/src/tool_dirhie.c
@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -98,12 +98,14 @@ CURLcode create_dir_hierarchy(const char *outfile, FILE *errors)
   char *outdup;
   char *dirbuildup;
   CURLcode result = CURLE_OK;
+  size_t outlen;
 
+  outlen = strlen(outfile);
   outdup = strdup(outfile);
   if(!outdup)
     return CURLE_OUT_OF_MEMORY;
 
-  dirbuildup = malloc(strlen(outfile) + 1);
+  dirbuildup = malloc(outlen + 1);
   if(!dirbuildup) {
     Curl_safefree(outdup);
     return CURLE_OUT_OF_MEMORY;
@@ -119,12 +121,12 @@ CURLcode create_dir_hierarchy(const char *outfile, FILE *errors)
     if(tempdir2 != NULL) {
       size_t dlen = strlen(dirbuildup);
       if(dlen)
-        sprintf(&dirbuildup[dlen], "%s%s", DIR_CHAR, tempdir);
+        snprintf(&dirbuildup[dlen], outlen - dlen, "%s%s", DIR_CHAR, tempdir);
       else {
         if(0 != strncmp(outdup, DIR_CHAR, 1))
           strcpy(dirbuildup, tempdir);
         else
-          sprintf(dirbuildup, "%s%s", DIR_CHAR, tempdir);
+          snprintf(dirbuildup, outlen, "%s%s", DIR_CHAR, tempdir);
       }
       if(access(dirbuildup, F_OK) == -1) {
         if(-1 == mkdir(dirbuildup,(mode_t)0000750)) {