diff --git a/ChangeLog b/ChangeLog
index 29b29d5..42b2a71 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,8 @@
-$Id: ChangeLog,v 1.134 2012/01/28 21:53:19 steffen Exp $
+$Id: ChangeLog,v 1.135 2015/03/28 22:54:09 steffen Exp $
+
+28.03.2015:
+- fixed: buffer overflow in send_mapinfo, found by sourceforge user whiteduck.
+         snprintf is now used.
 
 - code cleanup: compiling should work now without any warnings.
 
diff --git a/src/main.c b/src/main.c
index f0aea75..96ce42d 100644
--- a/src/main.c
+++ b/src/main.c
@@ -1,4 +1,4 @@
-/* $Id: main.c,v 1.37 2008/07/27 11:24:37 stpohle Exp $ */
+/* $Id: main.c,v 1.38 2015/03/28 22:54:09 steffen Exp $ */
 
 #include "basic.h"
 #include "bomberclone.h"
diff --git a/src/packets.c b/src/packets.c
index 2bcd9a8..92edd94 100644
--- a/src/packets.c
+++ b/src/packets.c
@@ -1594,8 +1594,8 @@ send_mapinfo (_net_addr * addr)
     map_pkg.sp_push = map.sp_push;
     map_pkg.start_bombs = bman.start_bombs;
     map_pkg.start_range = bman.start_range;
-    sprintf (map_pkg.start_speed, "%4f", bman.start_speed);
-    sprintf (map_pkg.bomb_tickingtime, "%4f", bman.bomb_tickingtime);
+    snprintf (map_pkg.start_speed, sizeof(map_pkg.start_speed), "%f", bman.start_speed);
+    snprintf (map_pkg.bomb_tickingtime, sizeof(map_pkg.bomb_tickingtime), "%f", bman.bomb_tickingtime);
 
     if (map.random_tileset)
         map_pkg.tileset[0] = 0;