diff --git a/common/stringhelp.c b/common/stringhelp.c
index 509d327b0..3b481e862 100644
--- a/common/stringhelp.c
+++ b/common/stringhelp.c
@@ -1443,12 +1443,13 @@ compare_version_strings (const char *my_version, const char *req_version)
 
 
 /* Format a string so that it fits within about TARGET_COLS columns.
-   TEXT_IN is copied to a new buffer, which is returned.
-   Normally, target_cols will be 72 and max_cols is 80.  */
+ * TEXT_IN is copied to a new buffer, which is returned.  Normally,
+ * target_cols will be 72 and max_cols is 80.  On error NULL is
+ * returned and ERRNO is set. */
 char *
 format_text (const char *text_in, int target_cols, int max_cols)
 {
-  const int do_debug = 0;
+  /* const int do_debug = 0; */
 
   /* The character under consideration.  */
   char *p;
@@ -1460,7 +1461,9 @@ format_text (const char *text_in, int target_cols, int max_cols)
   int copied_last_space = 0;
   char *text;
 
-  text = xstrdup (text_in);
+  text = xtrystrdup (text_in);
+  if (!text)
+    return NULL;
 
   p = line = text;
   while (1)
@@ -1514,9 +1517,9 @@ format_text (const char *text_in, int target_cols, int max_cols)
           cols_with_left_space = last_space_cols;
           cols_with_right_space = cols;
 
-          if (do_debug)
-            log_debug ("Breaking: '%.*s'\n",
-                       (int) ((uintptr_t) p - (uintptr_t) line), line);
+          /* if (do_debug) */
+          /*   log_debug ("Breaking: '%.*s'\n", */
+          /*              (int) ((uintptr_t) p - (uintptr_t) line), line); */
 
           /* The number of columns away from TARGET_COLS.  We prefer
              to underflow than to overflow.  */
@@ -1528,21 +1531,22 @@ format_text (const char *text_in, int target_cols, int max_cols)
                max_cols.  */
             right_penalty += 4 * (cols_with_right_space - max_cols);
 
-          if (do_debug)
-            log_debug ("Left space => %d cols (penalty: %d); right space => %d cols (penalty: %d)\n",
-                       cols_with_left_space, left_penalty,
-                       cols_with_right_space, right_penalty);
+          /* if (do_debug) */
+          /*   log_debug ("Left space => %d cols (penalty: %d); " */
+          /*              "right space => %d cols (penalty: %d)\n", */
+          /*              cols_with_left_space, left_penalty, */
+          /*              cols_with_right_space, right_penalty); */
           if (last_space_cols && left_penalty <= right_penalty)
-            /* Prefer the left space.  */
             {
-              if (do_debug)
-                log_debug ("Breaking at left space.\n");
+              /* Prefer the left space.  */
+              /* if (do_debug) */
+              /*   log_debug ("Breaking at left space.\n"); */
               p = last_space;
             }
           else
             {
-              if (do_debug)
-                log_debug ("Breaking at right space.\n");
+              /* if (do_debug) */
+              /*   log_debug ("Breaking at right space.\n"); */
             }
 
           if (! *p)
diff --git a/common/t-stringhelp.c b/common/t-stringhelp.c
index 869ca56f0..189fed1f9 100644
--- a/common/t-stringhelp.c
+++ b/common/t-stringhelp.c
@@ -886,6 +886,11 @@ test_format_text (void)
       struct test *test = &tests[i];
       char *result =
         format_text (test->input, test->target_cols, test->max_cols);
+      if (!result)
+        {
+          fail (1);
+          exit (2);
+        }
       if (strcmp (result, test->expected) != 0)
         {
           printf ("%s: Test #%d failed.\nExpected: '%s'\nResult: '%s'\n",
diff --git a/g10/gpgcompose.c b/g10/gpgcompose.c
index 071d6bf45..4a2cb818f 100644
--- a/g10/gpgcompose.c
+++ b/g10/gpgcompose.c
@@ -306,6 +306,8 @@ show_help (struct option options[])
       if (! option)
         space = 72;
       formatted = format_text (tmp, space, space + 4);
+      if (!format_text)
+        abort ();
 
       if (tmp != help)
         xfree (tmp);
diff --git a/g10/tofu.c b/g10/tofu.c
index 1437a50b9..1c1c3967f 100644
--- a/g10/tofu.c
+++ b/g10/tofu.c
@@ -1305,7 +1305,7 @@ signature_stats_collect_cb (void *cookie, int argc, char **argv,
 }
 
 /* Format the first part of a conflict message and return that as a
- * malloced string.  */
+ * malloced string. Returns NULL on error. */
 static char *
 format_conflict_msg_part1 (int policy, strlist_t conflict_set,
                            const char *email)
@@ -1586,6 +1586,10 @@ ask_about_binding (ctrl_t ctrl,
 
   {
     char *text = format_conflict_msg_part1 (*policy, conflict_set, email);
+    if (!text) /* FIXME: Return the error all the way up.  */
+      log_fatal ("format failed: %s\n",
+                 gpg_strerror (gpg_error_from_syserror()));
+
     es_fputs (text, fp);
     es_fputc ('\n', fp);
     xfree (text);
@@ -1927,7 +1931,7 @@ ask_about_binding (ctrl_t ctrl,
             "call the person to make sure this new key is legitimate.";
         }
       textbuf = format_text (text, 72, 80);
-      es_fprintf (fp, "\n%s\n", textbuf);
+      es_fprintf (fp, "\n%s\n", textbuf? textbuf : "[OUT OF CORE!]");
       xfree (textbuf);
     }
 
@@ -3191,6 +3195,9 @@ show_statistics (tofu_dbs_t dbs,
         if (es_fclose_snatch (fp, (void **) &tmpmsg, NULL))
           log_fatal ("error snatching memory stream\n");
         msg = format_text (tmpmsg, 72, 80);
+        if (!msg) /* FIXME: Return the error all the way up.  */
+          log_fatal ("format failed: %s\n",
+                     gpg_strerror (gpg_error_from_syserror()));
         es_free (tmpmsg);
 
         /* Print a status line but suppress the trailing LF.
@@ -3266,6 +3273,9 @@ show_warning (const char *fingerprint, strlist_t user_id_list)
      set_policy_command);
 
   text = format_text (tmpmsg, 72, 80);
+  if (!text) /* FIXME: Return the error all the way up.  */
+    log_fatal ("format failed: %s\n",
+               gpg_strerror (gpg_error_from_syserror()));
   xfree (tmpmsg);
   log_string (GPGRT_LOG_INFO, text);
   xfree (text);