diff --git a/lib/sendf.c b/lib/sendf.c
index dcb8cf74a8461eeb8649df1c2aa3d33c97df6f42..4984bd7f52b3efc0c7707f70bbc5aaa6d49259b8 100644
--- a/lib/sendf.c
+++ b/lib/sendf.c
@@ -55,6 +55,7 @@
 #include "urldata.h"
 #include "sendf.h"
 
+#define _MPRINTF_REPLACE /* use the internal *printf() functions */
 #include <curl/mprintf.h>
 
 #ifdef KRB4
@@ -87,7 +88,7 @@ void failf(struct UrlData *data, char *fmt, ...)
   va_list ap;
   va_start(ap, fmt);
   if(data->errorbuffer)
-    vsprintf(data->errorbuffer, fmt, ap);
+    vsnprintf(data->errorbuffer, CURL_ERROR_SIZE, fmt, ap);
   else /* no errorbuffer receives this, write to data->err instead */
     vfprintf(data->err, fmt, ap);
   va_end(ap);
diff --git a/lib/url.c b/lib/url.c
index 2cdb0c06e06fe0e981ea8e92cde61881e8ea16b7..c6f2606f75f4259753ab04a9dd99aaa129627a8e 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -917,7 +917,7 @@ CURLcode curl_connect(CURL *curl, CURLconnect **in_connect)
   if(data->resume_from) {
     if(!data->bits.set_range) {
       /* if it already was in use, we just skip this */
-      sprintf(resumerange, "%d-", data->resume_from);
+      snprintf(resumerange, sizeof(resumerange), "%d-", data->resume_from);
       data->range=strdup(resumerange); /* tell ourselves to fetch this range */
       data->bits.rangestringalloc = TRUE; /* mark as allocated */
       data->bits.set_range = 1; /* switch on range usage */
@@ -1415,7 +1415,8 @@ CURLcode curl_connect(CURL *curl, CURLconnect **in_connect)
 
   if(data->bits.proxy_user_passwd) {
     char *authorization;
-    sprintf(data->buffer, "%s:%s", data->proxyuser, data->proxypasswd);
+    snprintf(data->buffer, BUFSIZE, "%s:%s",
+             data->proxyuser, data->proxypasswd);
     if(base64_encode(data->buffer, strlen(data->buffer),
                     &authorization) >= 0) {
       data->ptr_proxyuserpwd =