diff --git a/xfig.3.2.5-zoom.dif b/xfig.3.2.5-zoom.dif
new file mode 100644
index 0000000..be8a77b
--- /dev/null
+++ b/xfig.3.2.5-zoom.dif
@@ -0,0 +1,70 @@
+--- main.c
++++ main.c	2008-05-14 19:08:15.853469188 +0200
+@@ -1533,7 +1533,7 @@ notablet:
+ 	  if (event.type == KeyPress
+ 	      && XtWindow(canvas_sw) == ((XKeyPressedEvent *)&event)->window) {
+ 	    KeySym key = XLookupKeysym((XKeyPressedEvent *)&event, 0);
+-	    if (XK_F1 <= key && key <= XK_F35) {
++	    if (XK_F1 >= key && key <= XK_F35) {
+ 	      XtDispatchEvent(&event);
+ 	    } else {
+ 	      canvas_selected(canvas_sw, &event, NULL, NULL);
+--- w_rulers.c
++++ w_rulers.c	2008-05-14 19:05:40.041361341 +0200
+@@ -1166,7 +1166,7 @@ void reset_topruler(void)
+     register int    i,k;
+     register tick_info* tk;
+     register Pixmap p = topruler_pm;
+-    char	    number[6];
++    char	    number[60];
+     int		    X0,len;
+     int		    tickmod, tickskip;
+ 
+@@ -1183,7 +1183,7 @@ void reset_topruler(void)
+ 	tickmod = 1;
+ 
+     /* see how big a label is to adjust spacing, if necessary */
+-    sprintf(number, "%d%s", (X0+(int)((TOPRULER_WD/zoomscale)))/tickmod, cur_fig_units);
++    snprintf(number, sizeof(number)-1, "%d%s", (X0+(int)((TOPRULER_WD/zoomscale)))/tickmod, cur_fig_units);
+     len = XTextWidth(roman_font, number, strlen(number));
+     while (skipx < (len + 5)/zoomscale) {
+ 	skip *= 2;
+@@ -1197,11 +1197,11 @@ void reset_topruler(void)
+       /* string */
+       if (i % skipx == 0) {
+         if ((i/10) % tickmod == 0)
+-          sprintf(number, "%d%s", i/tickmod, cur_fig_units);
++          snprintf(number, sizeof(number)-1, "%d%s", i/tickmod, cur_fig_units);
+ 	else if (i % tickmod == 0)
+-          sprintf(number, "%d", i/tickmod);
++          snprintf(number, sizeof(number)-1, "%d", i/tickmod);
+         else
+-          sprintf(number, precstr, (float)(1.0 * i / tickmod));
++          snprintf(number, sizeof(number)-1, precstr, (float)(1.0 * i / tickmod));
+ 	/* get length of string to position it */
+ 	len = XTextWidth(roman_font, number, strlen(number));
+         /* we center on the number only, letting the minus sign hang out */
+@@ -1425,7 +1425,7 @@ void reset_sideruler(void)
+     register int    i,k;
+     register tick_info* tk;
+     register Pixmap p = sideruler_pm;
+-    char	    number[6],len;
++    char	    number[60],len;
+     int		    Y0;
+     int		    tickmod, tickskip;
+ 
+@@ -1456,11 +1456,11 @@ void reset_sideruler(void)
+       /* string */
+       if (i % skipx == 0) {
+         if ((i/10) % tickmod == 0)
+-          sprintf(number, "%d%s", i/tickmod, cur_fig_units);
++          snprintf(number, sizeof(number)-1, "%d%s", i/tickmod, cur_fig_units);
+ 	else if (i % tickmod == 0)
+-          sprintf(number, "%d", i/tickmod);
++          snprintf(number, sizeof(number)-1, "%d", i/tickmod);
+         else
+-          sprintf(number, precstr, (float)(1.0 * i / tickmod));
++          snprintf(number, sizeof(number)-1, precstr, (float)(1.0 * i / tickmod));
+ 	/* get length of string to position it */
+ 	len = XTextWidth(roman_font, number, strlen(number));
+ 	/* vertically centered on inch/cm mark */
diff --git a/xfig.changes b/xfig.changes
index e2ca4bc..b27ab4d 100644
--- a/xfig.changes
+++ b/xfig.changes
@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Wed May 14 19:13:00 CEST 2008 - werner@suse.de
+
+- Fix buffer overflow in zoom handling (bnc#390283)
+
 -------------------------------------------------------------------
 Fri Apr 25 18:17:48 CEST 2008 - werner@suse.de
 
diff --git a/xfig.spec b/xfig.spec
index 03aefc8..38cb127 100644
--- a/xfig.spec
+++ b/xfig.spec
@@ -19,7 +19,7 @@ Provides:       xfig.3.2.3d
 Requires:       transfig netpbm ghostscript-fonts-std
 AutoReqProv:    on
 Version:        3.2.5
-Release:        85
+Release:        92
 Summary:        Facility for Interactive Generation of Figures under the X Window System
 Url:            http://www.xfig.org/
 Source:         xfig.%{version}.tar.bz2
@@ -36,6 +36,7 @@ Patch5:         xfig.3.2.4-null.dif
 Patch6:         xfig.%{version}-locale.dif
 Patch7:         xfig.%{version}-fixes.dif
 Patch8:         xfig.%{version}-pspdftex.dif
+Patch9:         xfig.%{version}-zoom.dif
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %{expand: %%global _exec_prefix %(type -p pkg-config &>/dev/null && pkg-config --variable prefix x11 || echo /usr/X11R6)}
 %if "%_exec_prefix" == "/usr/X11R6"
@@ -82,6 +83,7 @@ find -type f | xargs -r chmod a-x,go-w
 %patch6  -p0 -b .locale
 %patch7  -p0 -b .fixes
 %patch8  -p0 -b .pspdftex
+%patch9  -p0 -b .zoom
 cp $RPM_SOURCE_DIR/font-test.fig .
 xmkmf -a -D_DATA='%{_data}' -DStandardDefines=''
 
@@ -137,6 +139,8 @@ find %{buildroot}/%{_docdir}/%{name} -name '*.orig' | xargs -r rm -f
 %doc %{_mandir}/man1/xfig.1x.gz
 
 %changelog
+* Wed May 14 2008 werner@suse.de
+- Fix buffer overflow in zoom handling (bnc#390283)
 * Fri Apr 25 2008 werner@suse.de
 - Make PS/PDF/LaTeX work similar to PS/LaTeX and PDF/LaTeX (bnc#383669)
 * Tue Dec 18 2007 werner@suse.de