diff --git a/toolkit/mozapps/update/updater/updater.cpp b/toolkit/mozapps/update/updater/updater.cpp
--- a/toolkit/mozapps/update/updater/updater.cpp
+++ b/toolkit/mozapps/update/updater/updater.cpp
@@ -2915,34 +2915,40 @@ int NS_main(int argc, NS_tchar **argv)
     // If the callback executable is specified it must exist for a successful
     // update.  It is important we null out the whole buffer here because later
     // we make the assumption that the callback application is inside the
     // apply-to dir.  If we don't have a fully null'ed out buffer it can lead
     // to stack corruption which causes crashes and other problems.
     NS_tchar callbackLongPath[MAXPATHLEN];
     ZeroMemory(callbackLongPath, sizeof(callbackLongPath));
     NS_tchar *targetPath = argv[callbackIndex];
-    NS_tchar buffer[MAXPATHLEN*2];
+    NS_tchar buffer[MAXPATHLEN * 2] = { NS_T('\0') };
+    size_t bufferLeft = MAXPATHLEN * 2;
     if (sReplaceRequest) {
       // In case of replace requests, we should look for the callback file in
       // the destination directory.
       size_t commonPrefixLength = PathCommonPrefixW(argv[callbackIndex], gDestinationPath, NULL);
       NS_tchar *p = buffer;
       NS_tstrncpy(p, argv[callbackIndex], commonPrefixLength);
       p += commonPrefixLength;
-      NS_tstrcpy(p, gDestinationPath + commonPrefixLength);
-      p += NS_tstrlen(gDestinationPath + commonPrefixLength);
+      bufferLeft -= commonPrefixLength;
+      NS_tstrncpy(p, gDestinationPath + commonPrefixLength, bufferLeft);
+
+      size_t len = NS_tstrlen(gDestinationPath + commonPrefixLength);
+      p += len;
+      bufferLeft -= len;
       *p = NS_T('\\');
       ++p;
+      bufferLeft--;
       *p = NS_T('\0');
       NS_tchar installDir[MAXPATHLEN];
       if (!GetInstallationDir(installDir))
         return 1;
       size_t callbackPrefixLength = PathCommonPrefixW(argv[callbackIndex], installDir, NULL);
-      NS_tstrcpy(p, argv[callbackIndex] + max(callbackPrefixLength, commonPrefixLength));
+      NS_tstrncpy(p, argv[callbackIndex] + max(callbackPrefixLength, commonPrefixLength), bufferLeft);
       targetPath = buffer;
     }
     if (!GetLongPathNameW(targetPath, callbackLongPath,
                           sizeof(callbackLongPath)/sizeof(callbackLongPath[0]))) {
       LOG(("NS_main: unable to find callback file: " LOG_S, targetPath));
       LogFinish();
       WriteStatusFile(WRITE_ERROR);
       EXIT_WHEN_ELEVATED(elevatedLockFilePath, updateLockFileHandle, 1);
