# DP: several bugfixes: uninitialised variables, bad access,
# DP: wrong format, aliasing violation, wrong pointer target,
# DP: NUL in format, buffer sizing, sequence point violation

--- a/draw.c
+++ b/draw.c
@@ -1127,7 +1127,7 @@ cutin(state, lx, ly, dir)
 	u_int step, x, xoff, yoff;
 	int i, sx, round;
 	int root_x, root_y, use_copy;
-	Window cutinWin, junkwin;
+	Window cutinWin = 0, junkwin;
 	XImage *copywin; 
 	static XWindowAttributes xa;
 	XWindowAttributes wa;
@@ -2846,7 +2846,7 @@ draw_onechar_x(state, code, x, y, size,
 	char *seed;
 	char *registry;
 
-	if (code >= 0xa0 && ((!argregistry || !argregistry[0]) && mgp_charset))
+	if (code >= 0xa0 && ((!argregistry || !argregistry[0]) && *mgp_charset))
 		registry = mgp_charset;
 	else 
 		registry = argregistry;
@@ -2884,7 +2884,7 @@ draw_onechar_x(state, code, x, y, size,
 			fprintf(stderr, "X11 font %s:%d:%s has bogus "
 				"font metric for glyph 0x%04x\n"
 				"\tcs->width=%d, source=%s, coffset=0x%04x\n",
-				seed, char_size, registry?registry:"NULL",
+				seed, char_size[caching], registry?registry:"NULL",
 				code, cs->width, metricsource, coffset);
 		}
 		cs = &xfontstruct->max_bounds;
@@ -3059,7 +3059,7 @@ back_gradation(state, cg0)
 			xzoomrate, yzoomrate);
 		fprintf(stderr, "background zoom mode %d: "
 			"(%d, %d)->(%d, %d)[%d]\n", cg->ct_zoomflag,
-			srcwidth, srcheight, dstwidth, dstheight, b_quality);
+			srcwidth, srcheight, dstwidth, dstheight, b_quality[caching]);
 	}
 
 	if (xzoomrate != 100.0 || yzoomrate != 100.0) {
@@ -3312,7 +3312,7 @@ image_load(state, filename, numcolor, xi
 			image = myimage;
 			myimage = zoom(image, xzoomrate, yzoomrate, verbose);
 			if (!image) {
-				fprintf(stderr, "image zoom (%dx%d) failed in image_load\n",
+				fprintf(stderr, "image zoom (%fx%f) failed in image_load\n",
 					xzoomrate, yzoomrate);
 				exit(1);
 			}
@@ -4194,7 +4194,7 @@ search_child_window()
 {
 	XEvent e;
 	int	fd, found = 0;
-	fd_set fdset, dumfdset; 
+	fd_set fdset, dumfdset, dumfdset2;
 	struct timeval timeout;
 
 	fd = ConnectionNumber(display);
@@ -4218,7 +4218,8 @@ search_child_window()
 		FD_ZERO(&fdset);
 		FD_SET(fd, &fdset); 	
 		FD_ZERO(&dumfdset);
-		if (!select(fd+1, &fdset, &dumfdset, &dumfdset, &timeout))
+		FD_ZERO(&dumfdset2);
+		if (!select(fd+1, &fdset, &dumfdset, &dumfdset2, &timeout))
 			break;
 	}
 
@@ -5243,7 +5244,7 @@ xft_draw_fragment(state, p, len, registr
 	static char prefix[3][20] = { "\033$B", "\033$A", "\033$(C"};
 	char buf16[1024], *p16;
 	char out16[1024], *o16;
-	int ileft, oleft;
+	size_t ileft, oleft;
 #ifdef HAVE_ICONV
 	static iconv_t icv[3];
 #endif
@@ -5268,7 +5269,7 @@ xft_draw_fragment(state, p, len, registr
 			if (!strncmp(registry, rtab[i], 3)) break;
 		}
 		if (i == 3) return NULL; /* cannot find codeset */
-		sprintf(buf16, "%s%s\0", prefix[i], p);  	
+		sprintf(buf16, "%s%s%c", prefix[i], p, 0);
 		if (icv[i] == (iconv_t)0) icv[i] = iconv_open("UTF-8", etab[i]);
 		if (icv[i] == (iconv_t)-1) {
 			fprintf(stderr, "your iconv doesn't support %s\n",
@@ -5419,7 +5420,7 @@ xft_setfont(xfontarg, csize, registry)
 {
 	char *xfont;
 	static XftFont *last_xftfont;
-	static char lastfont[100];
+	static char lastfont[200];
 	static int lastsize = 0;
 	XftFont *xftfont;
 	char *p, *p2;
--- a/embed.c
+++ b/embed.c
@@ -36,38 +36,34 @@ char *mgpwdir = DEFAULT_MGPWDIR;
 char mgpwdirname[BUFSIZ] = "";
 
 char *
-allocpy(p)
-	char *p;
+allochk(char *q)
 {
-	char *q;
-
-	q = (char *)malloc(strlen(p) + 1);
 	if (q == NULL) {
 		fprintf(stderr, "malloc: %s\n", strerror(errno));
 		cleanup(-1);
 	}
-	return strcpy(q, p);
+	return (q);
 }
 
 char *
 embed_fname(fname)
 	char *fname;
 {
-	char buf[BUFSIZ];
+	char *bf = NULL;
 
 	if (strncmp(fname, EMBEDDIR, strlen(EMBEDDIR)) != 0)
 		return fname;
 	fname += strlen(EMBEDDIR);
 	if (*mgpwdirname == '\0') {	/* not initialized yet */
-		sprintf(mgpwdirname, "%s/mgp.%d", mgpwdir, getpid());
+		snprintf(mgpwdirname, sizeof(mgpwdirname), "%s/mgp.%d", mgpwdir, getpid());
 		if (mkdir(mgpwdirname, 0700) < 0) {
 			fprintf(stderr, "%s: %s\n", mgpwdirname,
 				strerror(errno));
 			cleanup(-1);
 		}
 	}
-	sprintf(buf, "%s/%s", mgpwdirname, fname);
-	return allocpy(buf);
+	asprintf(&bf, "%s/%s", mgpwdirname, fname);
+	return allochk(bf);
 }
 
 void
@@ -76,6 +72,7 @@ embed_file(fp, p, lineno)
 	struct ctrl *p;
 	int *lineno;
 {
+	char *bf = NULL;
 	char buf[BUFSIZ];
 	FILE *pp;
 	struct stat st;
@@ -95,12 +92,13 @@ embed_file(fp, p, lineno)
 		fprintf(stderr, "popen: %s\n", strerror(errno));
 		cleanup(-1);
 	}
-	sprintf(buf, "%s/%s", mgpwdirname, p->ctc_value);
-	if (access(buf, F_OK) == 0) {
+	asprintf(&bf, "%s/%s", mgpwdirname, p->ctc_value);
+	if (access(bf, F_OK) == 0) {
 		fprintf(stderr, "embedded filename duplicated: %s\n",
 			p->ctc_value);
 		cleanup(-1);
 	}
+	free(bf);
 	fprintf(pp, "begin 600 %s/%s\n", mgpwdirname, p->ctc_value);
 	while (fgets(buf, sizeof(buf), fp)) {
 		(*lineno)++;
@@ -112,8 +110,9 @@ embed_file(fp, p, lineno)
 	pclose(pp);
 	len = strlen(p->ctc_value);
 	if (len > 3 && strncmp(p->ctc_value + len - 3, ".gz", 3) == 0) {
-		sprintf(buf, "%s %s/%s", GUNZIP, mgpwdirname, p->ctc_value);
-		system(buf);
+		asprintf(&bf, "%s %s/%s", GUNZIP, mgpwdirname, p->ctc_value);
+		system(bf);
+		free(bf);
 	}
 	return;
 }
@@ -123,7 +122,7 @@ cleandir()		/* called by signal and quit
 {
 	DIR *dp;
 	struct dirent *dep;
-	char fname[BUFSIZ];
+	char *fname = NULL;
 
 	if (*mgpwdirname == '\0')
 		return;
@@ -135,11 +134,12 @@ cleandir()		/* called by signal and quit
 		if (strcmp(dep->d_name, ".") == 0 ||
 		    strcmp(dep->d_name, "..") == 0)
 			continue;
-		sprintf(fname, "%s/%s", mgpwdirname, dep->d_name);
+		asprintf(&fname, "%s/%s", mgpwdirname, dep->d_name);
 		if (unlink(fname)) {
 			fprintf(stderr, "unlink of %s: %s", fname,
 				strerror(errno));
 		}
+		free(fname);
 	}
 	closedir(dp);
 	rmdir(mgpwdirname);
--- a/image/zoom.c
+++ b/image/zoom.c
@@ -74,7 +74,7 @@ Image *zoom(oimage, xzoom, yzoom, verbos
     if (verbose)
       fprintf(stderr, "  Zooming image by %0.2f%%...", xzoom);
     if (oimage->title)
-      sprintf(buf, "%s (%d%% zoom)", oimage->title, xzoom);
+      sprintf(buf, "%s (%f%% zoom)", oimage->title, xzoom);
   }
   else {
     if (verbose)
--- a/parse.c
+++ b/parse.c
@@ -1254,7 +1254,7 @@ thirdpass()
 	 */
     {
 	int textseen;
-	int contseen;
+	int contseen = 0;
 	for (page = 1; page <= maxpage; page++) {
 		line = page_attribute[page].pg_linenum;
 		for (l = 0; l <= line; l++) {
--- a/print.c
+++ b/print.c
@@ -1806,7 +1806,7 @@ image_remember(cp, pool)
 				break;
 
 			default:
-				fprintf(stderr, "rotation by %d degrees not supported.\n", rotate);
+				fprintf(stderr, "rotation by %d degrees not supported.\n", cp->ctm_rotate);
 				cleanup(-1);
 		}
 		width = myimage->width;
@@ -1855,7 +1855,7 @@ noneps:
 			break;
 
 		default:
-			fprintf(stderr, "rotation by %d degrees not supported.\n", rotate);
+			fprintf(stderr, "rotation by %d degrees not supported.\n", cp->ctm_rotate);
 			cleanup(-1);
 	}
 	pool->xsiz = myimage->width;
--- a/x11.c
+++ b/x11.c
@@ -358,7 +358,7 @@ toggle_fullscreen()
 	static int fullscreen = 0;
 	XClientMessageEvent  xev;
 
-	fullscreen = ++fullscreen % 2;
+	fullscreen = (!fullscreen) & 1;
 	memset(&xev, 0, sizeof(xev));
 	xev.type=ClientMessage;
 	xev.message_type=XInternAtom(display, "_NET_WM_STATE", False);