This came in to the webmaster address and was also addressed to a number of individuals (looks like the SF project admins). This appears like it would be of general interest to this group. Looking through this message and the various bug tracker items it's not clear to me if Secunia wants to know if the patch (which I believe has already been applied to all three active svn branches) is the source of the problem or if they want to know if it solves the buffer overrun problem. Are they suggesting that 10*size should be the character multiple in all cases? Skip