Index: branches/chucko/i386/boot2/options.c
===================================================================
--- branches/chucko/i386/boot2/options.c	(revision 2312)
+++ branches/chucko/i386/boot2/options.c	(revision 2313)
@@ -641,24 +641,28 @@
 
 char *getMemoryInfoString()
 {
-    int i;
-    MemoryRange *mp = bootInfo->memoryMap;
-	char *buff = malloc(sizeof(char)*1024);
-	if(!buff) return 0;
+  int i, bufflen;
+  MemoryRange *mp = bootInfo->memoryMap;
+  char *buff = malloc(sizeof(char)*1024);
+  if (!buff)
+    return 0;
 	
-	char info[] = "BIOS reported memory ranges:\n";
-	sprintf(buff, "%s", info);
-    for (i=0; i<bootInfo->memoryMapCount; i++) {
-        sprintf( buff+strlen(buff), "Base 0x%08x%08x, ",
-               (unsigned long)(mp->base >> 32),
-               (unsigned long)(mp->base));
-        sprintf( buff+strlen(buff), "length 0x%08x%08x, type %d\n",
-               (unsigned long)(mp->length >> 32),
-               (unsigned long)(mp->length),
-               mp->type);
-        mp++;
-    }
-	return buff;
+  static const char info[] = "BIOS reported memory ranges:\n";
+  bufflen = sprintf(buff, "%s", info);
+
+  for (i = 0;
+       (i < bootInfo->memoryMapCount) && (bufflen < 1024); /* prevent buffer overflow */
+       i++) {
+    bufflen += snprintf(buff+bufflen, 1024-bufflen, "Base 0x%08x%08x, ",
+                        (unsigned long)(mp->base >> 32),
+                        (unsigned long)(mp->base));
+    bufflen += snprintf(buff+bufflen, 1024-bufflen, "length 0x%08x%08x, type %d\n",
+                        (unsigned long)(mp->length >> 32),
+                        (unsigned long)(mp->length),
+                        mp->type);
+    mp++;
+  }
+  return buff;
 }
 
 //==========================================================================