diff --git a/hw/virtio-9p.c b/hw/virtio-9p.c
index 68b0696..ee81a7a 100644
--- a/hw/virtio-9p.c
+++ b/hw/virtio-9p.c
@@ -267,7 +267,7 @@ static int v9fs_string_alloc_printf(char **strp,
const char *fmt, va_list ap)
 alloc_print:
     *strp = qemu_malloc((len + 1) * sizeof(**strp));

-    return vsprintf(*strp, fmt, ap);
+    return vsnprintf(*strp, len + 1, fmt, ap);
 }

 static void v9fs_string_sprintf(V9fsString *str, const char *fmt, ...)
diff --git a/vl.c b/vl.c
index d5c1e34..d66b94f 100644
--- a/vl.c
+++ b/vl.c
@@ -3121,10 +3121,10 @@ int main(int argc, char **argv, char **envp)
                     exit(1);
                 }

-                sprintf(arg_fsdev, "%s,id=%s,path=%s",
-                                qemu_opt_get(opts, "fstype"),
-                                qemu_opt_get(opts, "mount_tag"),
-                                qemu_opt_get(opts, "path"));
+                snprintf(arg_fsdev, len + 1, "%s,id=%s,path=%s",
+                         qemu_opt_get(opts, "fstype"),
+                         qemu_opt_get(opts, "mount_tag"),
+                         qemu_opt_get(opts, "path"));

                 len = strlen("virtio-9p-pci,fsdev=,mount_tag=");
                 len += 2*strlen(qemu_opt_get(opts, "mount_tag"));
@@ -3136,9 +3136,9 @@ int main(int argc, char **argv, char **envp)
                     exit(1);
                 }

-                sprintf(arg_9p, "virtio-9p-pci,fsdev=%s,mount_tag=%s",
-                                qemu_opt_get(opts, "mount_tag"),
-                                qemu_opt_get(opts, "mount_tag"));
+                snprintf(arg_9p, len + 1,
"virtio-9p-pci,fsdev=%s,mount_tag=%s",
+                         qemu_opt_get(opts, "mount_tag"),
+                         qemu_opt_get(opts, "mount_tag"));

                 if (!qemu_opts_parse(&qemu_fsdev_opts, arg_fsdev, 1)) {