+diff -up sqlite-3.6.6.2/tool/lemon.c.lemparpath sqlite-3.6.6.2/tool/lemon.c
+--- sqlite-3.6.6.2/tool/lemon.c.lemparpath 2008-12-05 20:37:49.000000000 +0200
++++ sqlite-3.6.6.2/tool/lemon.c 2008-12-05 20:44:08.000000000 +0200
+@@ -1324,15 +1324,15 @@ void ErrorMsg(const char *filename, int
+ va_start(ap, format);
+ /* Prepare a prefix to be prepended to every output line */
+ if( lineno>0 ){
+- sprintf(prefix,"%.*s:%d: ",PREFIXLIMIT-10,filename,lineno);
++ snprintf(prefix,sizeof prefix,"%.*s:%d: ",PREFIXLIMIT-10,filename,lineno);
+ }else{
+- sprintf(prefix,"%.*s: ",PREFIXLIMIT-10,filename);
++ snprintf(prefix,sizeof prefix,"%.*s: ",PREFIXLIMIT-10,filename);
+ }
+ prefixsize = lemonStrlen(prefix);
+ availablewidth = LINEWIDTH - prefixsize;
+
+ /* Generate the error message */
+- vsprintf(errmsg,format,ap);
++ vsnprintf(errmsg,sizeof errmsg,format,ap);
+ va_end(ap);
+ errmsgsize = lemonStrlen(errmsg);
+ /* Remove trailing '\n's from the error message. */
+@@ -2911,7 +2911,7 @@ struct lemon *lemp;
+ while( cfp ){
+ char buf[20];
+ if( cfp->dot==cfp->rp->nrhs ){
+- sprintf(buf,"(%d)",cfp->rp->index);
++ snprintf(buf,sizeof buf,"(%d)",cfp->rp->index);
+ fprintf(fp," %5s ",buf);
+ }else{
+ fprintf(fp," ");
+@@ -2966,6 +2966,7 @@ int modemask;
+ {
+ char *pathlist;
+ char *path,*cp;
++ size_t pathsz;
+ char c;
+
+ #ifdef __WIN32__
+@@ -2976,21 +2977,21 @@ int modemask;
+ if( cp ){
+ c = *cp;
+ *cp = 0;
+- path = (char *)malloc( lemonStrlen(argv0) + lemonStrlen(name) + 2 );
+- if( path ) sprintf(path,"%s/%s",argv0,name);
++ path = (char *)malloc((pathsz=lemonStrlen(argv0) + lemonStrlen(name) + 2));
++ if( path ) snprintf(path,pathsz,"%s/%s",argv0,name);
+ *cp = c;
+ }else{
+ extern char *getenv();
+ pathlist = getenv("PATH");
+ if( pathlist==0 ) pathlist = ".:/bin:/usr/bin";
+- path = (char *)malloc( lemonStrlen(pathlist)+lemonStrlen(name)+2 );
++ path = (char *)malloc((pathsz=lemonStrlen(pathlist)+lemonStrlen(name)+2));
+ if( path!=0 ){
+ while( *pathlist ){
+ cp = strchr(pathlist,':');
+ if( cp==0 ) cp = &pathlist[lemonStrlen(pathlist)];
+ c = *cp;
+ *cp = 0;
+- sprintf(path,"%s/%s",pathlist,name);
++ snprintf(path,pathsz,"%s/%s",pathlist,name);
+ *cp = c;
+ if( c==0 ) pathlist = "";
+ else pathlist = &cp[1];
+@@ -3070,14 +3071,16 @@ struct lemon *lemp;
+
+ cp = strrchr(lemp->filename,'.');
+ if( cp ){
+- sprintf(buf,"%.*s.lt",(int)(cp-lemp->filename),lemp->filename);
++ snprintf(buf,sizeof buf,"%.*s.lt",(int)(cp-lemp->filename),lemp->filename);
+ }else{
+- sprintf(buf,"%s.lt",lemp->filename);
++ snprintf(buf,sizeof buf,"%s.lt",lemp->filename);
+ }
+ if( access(buf,004)==0 ){
+ tpltname = buf;
+ }else if( access(templatename,004)==0 ){
+ tpltname = templatename;
++ }else if( access("/usr/share/lemon/lempar.c",004)==0 ){
++ tpltname = "/usr/share/lemon/lempar.c";
+ }else{
+ tpltname = pathsearch(lemp->argv0,templatename,0);
+ }
+@@ -3089,7 +3092,7 @@ struct lemon *lemp;
+ }
+ in = fopen(tpltname,"rb");
+ if( in==0 ){
+- fprintf(stderr,"Can't open the template file \"%s\".\n",templatename);
++ fprintf(stderr,"Can't open the template file \"%s\".\n",tpltname);
+ lemp->errorcnt++;
+ return 0;
+ }
+@@ -3827,7 +3830,7 @@ int mhflag; /* Output in makeheaders
+ /* Generate a table containing the symbolic name of every symbol
+ */
+ for(i=0; i<lemp->nsymbol; i++){
+- sprintf(line,"\"%s\",",lemp->symbols[i]->name);
++ snprintf(line,sizeof line,"\"%s\",",lemp->symbols[i]->name);
+ fprintf(out," %-15s",line);
+ if( (i&3)==3 ){ fprintf(out,"\n"); lineno++; }
+ }
+@@ -3983,7 +3986,7 @@ struct lemon *lemp;
+ in = file_open(lemp,".h","rb");
+ if( in ){
+ for(i=1; i<lemp->nterminal && fgets(line,LINESIZE,in); i++){
+- sprintf(pattern,"#define %s%-30s %2d\n",prefix,lemp->symbols[i]->name,i);
++ snprintf(pattern,sizeof pattern,"#define %s%-30s %2d\n",prefix,lemp->symbols[i]->name,i);
+ if( strcmp(line,pattern) ) break;
+ }
+ fclose(in);