Buffer overflow from OpenBSD:

Rev 1.4 deraadt: (partial from full commit, other files not done yet)
	proactive bounds checking; help from millert
Rev 1.5 millert:
	Possible buf oflow.

Plus minor style nits to keep the style police happy (I hope)
Obtained from: OpenBSD

1 files changed, 8 insertions, 5 deletions

diff --git a/usr.sbin/lpr/common_source/displayq.c b/usr.sbin/lpr/common_source/displayq.c
index c3d5e53..a974d6f 100644
--- a/usr.sbin/lpr/common_source/displayq.c
+++ b/usr.sbin/lpr/common_source/displayq.c
@@ -199,13 +199,14 @@ displayq(format)
 	 */
 	if (nitems)
 		putchar('\n');
-	(void) sprintf(line, "%c%s", format + '\3', RP);
+	(void) snprintf(line, sizeof(line), "%c%s", format + '\3', RP);
 	cp = line;
-	for (i = 0; i < requests; i++) {
+	for (i = 0; i < requests && cp-line+10 < sizeof(line); i++) {
 		cp += strlen(cp);
 		(void) sprintf(cp, " %d", requ[i]);
 	}
-	for (i = 0; i < users; i++) {
+	for (i = 0; i < users && cp - line + 1 + strlen(user[i]) < 
+		sizeof(line); i++) {
 		cp += strlen(cp);
 		*cp++ = ' ';
 		(void) strcpy(cp, user[i]);
@@ -295,8 +296,10 @@ inform(cf)
 		default: /* some format specifer and file name? */
 			if (line[0] < 'a' || line[0] > 'z')
 				continue;
-			if (j == 0 || strcmp(file, line+1) != 0)
-				(void) strcpy(file, line+1);
+			if (j == 0 || strcmp(file, line+1) != 0) {
+				(void) strncpy(file, line+1, sizeof(file) - 1);
+				file[sizeof(file) - 1] = '\0';
+			}
 			j++;
 			continue;
 		case 'N':