In message: <20040425044912.94DFEA655@zen.crufty.net>
            sjg@crufty.net (Simon J. Gerraty) writes:
: cp += snprintf(...)

Maybe people shouldn't do that at all.  No need to have a cp +=
safe_sprintf() because the code is still wrong in the buffer overflow
case: if it returns 0, future uses of cp will be wrong.

Better to say

       snprintf()
       if (cp + strlen(cp) > ep)
		/* handle badness */

So what you propose would fix the 'negativge offset' issue, but not
deeper issues.

Warner