Index: main/manager.c
===================================================================
--- main/manager.c	(revision 169213)
+++ main/manager.c	(working copy)
@@ -2594,10 +2594,10 @@
 	const char *event = astman_get_header(m, "UserEvent");
 	char body[2048] = "";
 	int x, bodylen = 0;
-	for (x = 0; x < m->hdrcount; x++) {
+	for (x = 0; x < m->hdrcount && (sizeof(body) - bodylen) > 2; x++) {
 		if (strncasecmp("UserEvent:", m->headers[x], strlen("UserEvent:"))) {
 			ast_copy_string(body + bodylen, m->headers[x], sizeof(body) - bodylen - 3);
-			bodylen += strlen(m->headers[x]);
+			bodylen += MIN(strlen(m->headers[x]), sizeof(body) - bodylen - 3);
 			ast_copy_string(body + bodylen, "\r\n", 3);
 			bodylen += 2;
 		}
Index: apps/app_userevent.c
===================================================================
--- apps/app_userevent.c	(revision 169213)
+++ apps/app_userevent.c	(working copy)
@@ -48,6 +48,9 @@
 
 static int userevent_exec(struct ast_channel *chan, void *data)
 {
+#ifndef MIN
+#define MIN(a,b) ((a) < (b) ? (a) : (b))
+#endif
 	char *parse, buf[2048] = "";
 	int x, buflen = 0;
 	AST_DECLARE_APP_ARGS(args,
@@ -64,9 +67,9 @@
 
 	AST_STANDARD_APP_ARGS(args, parse);
 
-	for (x = 0; x < args.argc - 1; x++) {
-		ast_copy_string(buf + buflen, args.extra[x], sizeof(buf) - buflen - 2);
-		buflen += strlen(args.extra[x]);
+	for (x = 0; x < args.argc - 1 && (sizeof(buf) - buflen) > 2; x++) {
+		ast_copy_string(buf + buflen, args.extra[x], sizeof(buf) - buflen - 3);
+		buflen += MIN(strlen(args.extra[x]), sizeof(buf) - buflen - 3);
 		ast_copy_string(buf + buflen, "\r\n", 3);
 		buflen += 2;
 	}