diff --git a/Kit/Source/iokit.c b/Kit/Source/iokit.c
index 5afb046c..ca1cbfb4 100755
--- a/Kit/Source/iokit.c
+++ b/Kit/Source/iokit.c
@@ -24,9 +24,19 @@ FILE *FileOpen(const char *Path, const char *File, const char *CtrlCode)
 {
       FILE *FilePtr;
       char FileName[1024];
-
-      strcpy(FileName,Path);
-      strcat(FileName,File);
+      int Written;
+
+      /* Use snprintf instead of strcpy+strcat — the previous version
+         could overflow FileName[1024] when Path and File combined to
+         more than 1024 bytes (e.g. a long working directory plus a
+         long config-file name). Truncation is preferred over the
+         silent stack smash that strcpy+strcat caused. */
+      Written = snprintf(FileName,sizeof(FileName),"%s%s",Path,File);
+      if(Written < 0 || (size_t)Written >= sizeof(FileName)) {
+         printf("Error: combined path length exceeds %zu bytes: %s%s\n",
+                sizeof(FileName)-1, Path, File);
+         exit(1);
+      }
       FilePtr=fopen(FileName,CtrlCode);
       if(FilePtr == NULL) {
          printf("Error opening %s: %s\n",FileName, strerror(errno));
diff --git a/Source/42ipc.c b/Source/42ipc.c
index 80bc08f4..220d7fac 100644
--- a/Source/42ipc.c
+++ b/Source/42ipc.c
@@ -52,20 +52,20 @@ void InitInterProcessComm(void)
       for(Iipc=0;Iipc<Nipc;Iipc++) {
          I = &IPC[Iipc];
          fscanf(infile,"%[^\n] %[\n]",junk,&newline);
-         fscanf(infile,"%s %[^\n] %[\n]",response,junk,&newline);
+         fscanf(infile,"%119s %119[^\n] %1[\n]",response,junk,&newline);
          I->Mode = DecodeString(response);
-         fscanf(infile,"\"%[^\"]\" %[^\n] %[\n]",FileName,junk,&newline);
-         fscanf(infile,"%s %[^\n] %[\n]",response,junk,&newline);
+         fscanf(infile,"\"%79[^\"]\" %119[^\n] %1[\n]",FileName,junk,&newline);
+         fscanf(infile,"%119s %119[^\n] %1[\n]",response,junk,&newline);
          I->SocketRole = DecodeString(response);
-         fscanf(infile,"%s %ld %[^\n] %[\n]",I->HostName,&I->Port,junk,&newline);
-         fscanf(infile,"%s %[^\n] %[\n]",response,junk,&newline);
+         fscanf(infile,"%39s %ld %119[^\n] %1[\n]",I->HostName,&I->Port,junk,&newline);
+         fscanf(infile,"%119s %119[^\n] %1[\n]",response,junk,&newline);
          I->AllowBlocking = DecodeString(response);
-         fscanf(infile,"%s %[^\n] %[\n]",response,junk,&newline);
+         fscanf(infile,"%119s %119[^\n] %1[\n]",response,junk,&newline);
          I->EchoEnabled = DecodeString(response);
          fscanf(infile,"%ld %[^\n] %[\n]",&I->Nprefix,junk,&newline);
          I->Prefix = (char **) calloc(I->Nprefix,sizeof(char *));
          for(Ipx=0;Ipx<I->Nprefix;Ipx++) {
-            fscanf(infile,"\"%[^\"]\" %[^\n] %[\n]",Prefix,junk,&newline);
+            fscanf(infile,"\"%79[^\"]\" %119[^\n] %1[\n]",Prefix,junk,&newline);
             I->Prefix[Ipx] = (char *) calloc(strlen(Prefix)+1,sizeof(char));
             strcpy(I->Prefix[Ipx],Prefix);
          }
diff --git a/World/AlbedoToCube.c b/World/AlbedoToCube.c
index 7d10f069..95b1f489 100755
--- a/World/AlbedoToCube.c
+++ b/World/AlbedoToCube.c
@@ -18,9 +18,15 @@ FILE *OpenFile(char *Path, char *File, char *CtrlCode)
 {
       FILE *FilePtr;
       char FileName[80];
+      int Written;
 
-      strcpy(FileName,Path);
-      strcat(FileName,File);
+      /* snprintf instead of strcpy+strcat — see iokit.c::FileOpen */
+      Written = snprintf(FileName,sizeof(FileName),"%s%s",Path,File);
+      if(Written < 0 || (size_t)Written >= sizeof(FileName)) {
+         printf("Error: combined path length exceeds %zu bytes: %s%s\n",
+                sizeof(FileName)-1, Path, File);
+         exit(1);
+      }
       FilePtr=fopen(FileName,CtrlCode);
       if(FilePtr == NULL) {
          printf("Error opening %s\n",FileName);
diff --git a/World/DEMToBumpCube.c b/World/DEMToBumpCube.c
index 01822f94..ca8a81e1 100755
--- a/World/DEMToBumpCube.c
+++ b/World/DEMToBumpCube.c
@@ -23,9 +23,15 @@ FILE *OpenFile(char *Path, char *File, char *CtrlCode)
 {
       FILE *FilePtr;
       char FileName[80];
+      int Written;
 
-      strcpy(FileName,Path);
-      strcat(FileName,File);
+      /* snprintf instead of strcpy+strcat — see iokit.c::FileOpen */
+      Written = snprintf(FileName,sizeof(FileName),"%s%s",Path,File);
+      if(Written < 0 || (size_t)Written >= sizeof(FileName)) {
+         printf("Error: combined path length exceeds %zu bytes: %s%s\n",
+                sizeof(FileName)-1, Path, File);
+         exit(1);
+      }
       FilePtr=fopen(FileName,CtrlCode);
       if(FilePtr == NULL) {
          printf("Error opening %s\n",FileName);
diff --git a/World/MercatorToCube.c b/World/MercatorToCube.c
index ef1a1098..5e9aef10 100755
--- a/World/MercatorToCube.c
+++ b/World/MercatorToCube.c
@@ -18,9 +18,17 @@ FILE *OpenFile(char *Path, char *File, char *CtrlCode)
 {
       FILE *FilePtr;
       char FileName[80];
+      int Written;
 
-      strcpy(FileName,Path);
-      strcat(FileName,File);
+      /* snprintf instead of strcpy+strcat — see iokit.c::FileOpen for
+         the equivalent fix on the main entry path. Same bug shape:
+         attacker-controlled Path + File would overflow FileName[80]. */
+      Written = snprintf(FileName,sizeof(FileName),"%s%s",Path,File);
+      if(Written < 0 || (size_t)Written >= sizeof(FileName)) {
+         printf("Error: combined path length exceeds %zu bytes: %s%s\n",
+                sizeof(FileName)-1, Path, File);
+         exit(1);
+      }
       FilePtr=fopen(FileName,CtrlCode);
       if(FilePtr == NULL) {
          printf("Error opening %s\n",FileName);