diff --git a/ChangeLog b/ChangeLog
index 0eb2d667..c7426e0c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2007-01-09  Nick Treleaven  <nick.treleaven@btinternet.com>
+
+ * src/utils.c, src/sci_cb.c, src/sciwrappers.c:
+   Prevent some possible buffer overflows.
+
+
 2007-01-08  Enrico Tröger  <enrico.troeger@uvena.de>
 
  * doc/geany.docbook, src/keybindings.c, src/keybindings.h:
diff --git a/src/sci_cb.c b/src/sci_cb.c
index 163534ee..1905df42 100644
--- a/src/sci_cb.c
+++ b/src/sci_cb.c
@@ -259,7 +259,7 @@ void on_editor_notification(GtkWidget *editor, gint scn, gpointer lscn, gpointer
 			{
 				gint start, pos = SSM(sci, SCI_GETCURRENTPOS, 0, 0);
 				start = pos;
-				while (sci_get_char_at(sci, --start) != '&') ;
+				while (start > 0 && sci_get_char_at(sci, --start) != '&') ;
 
 				SSM(sci, SCI_INSERTTEXT, pos - 1, (sptr_t) nt->text);
 			}
@@ -897,7 +897,7 @@ void sci_cb_auto_forif(gint idx, gint pos)
 	sci_get_text_range(sci, pos - 16, pos - 1, buf);
 	// check the first 8 characters of buf for whitespace, but only in this line
 	i = 14;
-	while (isalpha(buf[i])) i--;	// find pos before keyword
+	while (i >= 0 && isalpha(buf[i])) i--;	// find pos before keyword
 	while (i >= 0 && buf[i] != '\n' && buf[i] != '\r') // we want to stay in this line('\n' check)
 	{
 		if (! isspace(buf[i]))
@@ -1177,7 +1177,7 @@ void sci_cb_auto_table(ScintillaObject *sci, gint pos)
 		x = strlen(indent);
 		// find the start of the <table tag
 		i = 1;
-		while (sci_get_char_at(sci, pos - i) != '<') i++;
+		while (i <= pos && sci_get_char_at(sci, pos - i) != '<') i++;
 		// add all non whitespace before the tag to the indent string
 		while ((pos - i) != indent_pos)
 		{
@@ -1301,12 +1301,17 @@ void sci_cb_do_uncomment(gint idx, gint line)
 
 	for (i = first_line; (i <= last_line) && (! break_loop); i++)
 	{
+		gint buf_len;
+
 		line_start = sci_get_position_from_line(doc_list[idx].sci, i);
 		line_len = sci_get_line_length(doc_list[idx].sci, i);
 		x = 0;
 
-		sci_get_text_range(doc_list[idx].sci, line_start, MIN((line_start + 255), (line_start + line_len - 1)), sel);
-		sel[MIN(255, (line_len - 1))] = '\0';
+		buf_len = MIN((gint)sizeof(sel) - 1, line_len - 1);
+		if (buf_len <= 0)
+			break;
+		sci_get_text_range(doc_list[idx].sci, line_start, line_start + buf_len, sel);
+		sel[buf_len] = '\0';
 
 		while (isspace(sel[x])) x++;
 
@@ -1430,12 +1435,17 @@ void sci_cb_do_comment_toggle(gint idx)
 
 	for (i = first_line; (i <= last_line) && (! break_loop); i++)
 	{
+		gint buf_len;
+
 		line_start = sci_get_position_from_line(doc_list[idx].sci, i);
 		line_len = sci_get_line_length(doc_list[idx].sci, i);
 		x = 0;
 
-		sci_get_text_range(doc_list[idx].sci, line_start, MIN((line_start + 255), (line_start + line_len - 1)), sel);
-		sel[MIN(255, (line_len - 1))] = '\0';
+		buf_len = MIN((gint)sizeof(sel) - 1, line_len - 1);
+		if (buf_len <= 0)
+			break;
+		sci_get_text_range(doc_list[idx].sci, line_start, line_start + buf_len, sel);
+		sel[buf_len] = '\0';
 
 		while (isspace(sel[x])) x++;
 
@@ -1616,17 +1626,18 @@ void sci_cb_do_comment(gint idx, gint line, gboolean allow_empty_lines)
 
 	for (i = first_line; (i <= last_line) && (! break_loop); i++)
 	{
+		gint buf_len;
+
 		line_start = sci_get_position_from_line(doc_list[idx].sci, i);
 		line_len = sci_get_line_length(doc_list[idx].sci, i);
 		x = 0;
 
-		sci_get_text_range(doc_list[idx].sci, line_start, MIN((line_start + 256), (line_start + line_len - 1)), sel);
-		sel[MIN(256, (line_len - 1))] = '\0';
+		buf_len = MIN((gint)sizeof(sel) - 1, line_len - 1);
+		if (buf_len <= 0)
+			break;
+		sci_get_text_range(doc_list[idx].sci, line_start, line_start + buf_len, sel);
+		sel[buf_len] = '\0';
 
-		/// TODO fix the above code to remove the described segfault below
-		// The following loop causes a segfault when the cursor is on the last line of doc and
-		// there are no other characters on this line and Geany was compiled with -O2, with -O0
-		// all works fine.
 		while (isspace(sel[x])) x++;
 
 		// to skip blank lines
diff --git a/src/sciwrappers.c b/src/sciwrappers.c
index bdf323ec..45f11206 100644
--- a/src/sciwrappers.c
+++ b/src/sciwrappers.c
@@ -756,6 +756,7 @@ void sci_clear_cmdkey(ScintillaObject *sci, gint key)
 }
 
 
+/* text will be zero terminated and must be allocated (end - start + 1) bytes */
 void sci_get_text_range(ScintillaObject *sci, gint start, gint end, gchar *text)
 {
 	struct TextRange tr;
diff --git a/src/utils.c b/src/utils.c
index 7830c86d..f93090d8 100644
--- a/src/utils.c
+++ b/src/utils.c
@@ -470,7 +470,7 @@ static gchar *parse_cpp_function_at_line(ScintillaObject *sci, gint tag_line)
 	if (end < 0) end = 0;
 
 	// skip whitespaces between identifier and (
-	while (isspace(sci_get_char_at(sci, end))) end--;
+	while (end > 0 && isspace(sci_get_char_at(sci, end))) end--;
 
 	start = end;
 	c = 0;