diff --git a/src/sftp/sftp_pkt.c b/src/sftp/sftp_pkt.c
index 7e632567dfa30f393954cbc7e61447c5039fc839..da40bdadfa366647b9692419d0c3240cb7123ee8 100644
--- a/src/sftp/sftp_pkt.c
+++ b/src/sftp/sftp_pkt.c
@@ -170,6 +170,9 @@ sftp_getstring(sftp_rx_pkt_t pkt)
{
assert(pkt);
uint32_t sz = sftp_get32(pkt);
+ // Expressed this way so Coverity untaints it...
+ if (sz > pkt->sz - sizeof(sz) - offsetof(struct sftp_rx_pkt, data) - pkt->cur)
+ return NULL;
if (pkt->cur + offsetof(struct sftp_rx_pkt, data) + sizeof(sz) > pkt->sz)
return NULL;
sftp_str_t ret = sftp_memdup(&pkt->data[pkt->cur], sz);
@@ -204,6 +207,7 @@ sftp_rx_pkt_append(sftp_rx_pkt_t *pktp, uint8_t *inbuf, uint32_t len)
else {
old_used = pkt->used;
old_sz = pkt->sz;
+ old_cur = pkt->cur;
new_sz = offsetof(struct sftp_rx_pkt, len) + pkt->used + len;
}
if (new_sz > old_sz) {
@@ -287,11 +291,13 @@ sftp_tx_pkt_reset(sftp_tx_pkt_t *pktp)
return true;
}
+#define APPEND_TX_DATA_PTR(pkt) (&((uint8_t *)pkt)[pkt->used + offsetof(struct sftp_tx_pkt, type)])
+
#define APPEND_FUNC_BODY(var) \
if (!grow_tx(pktp, sizeof(var))) \
return false; \
sftp_tx_pkt_t pkt = *pktp; \
- memcpy(&((uint8_t *)pkt)[pkt->used + offsetof(struct sftp_tx_pkt, type)], &var, sizeof(var)); \
+ memcpy(APPEND_TX_DATA_PTR(pkt), &var, sizeof(var)); \
pkt->used += sizeof(var); \
return true
@@ -333,7 +339,7 @@ sftp_appendstring(sftp_tx_pkt_t *pktp, sftp_str_t s)
return false;
}
sftp_tx_pkt_t pkt = *pktp;
- memcpy(&(&pkt->type)[pkt->used], (uint8_t *)s->c_str, s->len);
+ memcpy(&((uint8_t *)pkt)[pkt->used + offsetof(struct sftp_tx_pkt, type)], (uint8_t *)s->c_str, s->len);
pkt->used += s->len;
return true;
}
@@ -352,9 +358,7 @@ sftp_appendcstring(sftp_tx_pkt_t *pktp, const char *str)
oldused = (*pktp)->used;
assert(str);
if (str == NULL)
- oldused = 0;
- else
- oldused = (*pktp)->used;
+ return false;
sz = strlen(str);
if (sz > UINT32_MAX)
return false;
@@ -367,7 +371,7 @@ sftp_appendcstring(sftp_tx_pkt_t *pktp, const char *str)
return false;
}
sftp_tx_pkt_t pkt = *pktp;
- memcpy(&(&pkt->type)[pkt->used], str, len);
+ memcpy(APPEND_TX_DATA_PTR(pkt), str, len);
pkt->used += len;
return true;
}
diff --git a/src/sftp/sftp_server.c b/src/sftp/sftp_server.c
index b3f48ebc7627c541db66d323fe9489e6d0a02b91..3568558a8730ba1bee30d57ea98ea9c9815e9c0d 100644
--- a/src/sftp/sftp_server.c
+++ b/src/sftp/sftp_server.c
@@ -19,6 +19,8 @@ static sftp_str_t
getcstring(sftps_state_t state)
{
sftp_str_t str = getstring(state);
+ if (str == NULL)
+ return NULL;
if (memchr(str->c_str, 0, str->len) != NULL) {
free_sftp_str(str);
return NULL;
diff --git a/src/syncterm/term.c b/src/syncterm/term.c
index 36048c475c958707992de70ae977f97cdc469285..a4544e973cee2ef94a591918c38a434bd32b5d23 100644
--- a/src/syncterm/term.c
+++ b/src/syncterm/term.c
@@ -2035,9 +2035,9 @@ xmodem_download(struct bbslist *bbs, long mode, char *path)
/* Use correct file size */
fflush(fp);
- lprintf(LOG_DEBUG, "file_bytes=%u", file_bytes);
- lprintf(LOG_DEBUG, "file_bytes_left=%u", file_bytes_left);
- lprintf(LOG_DEBUG, "filelength=%u", filelength(fileno(fp)));
+ lprintf(LOG_DEBUG, "file_bytes=%" PRId64, file_bytes);
+ lprintf(LOG_DEBUG, "file_bytes_left=%" PRId64, file_bytes_left);
+ lprintf(LOG_DEBUG, "filelength=%" PRIuOFF, filelength(fileno(fp)));
if (file_bytes < (ulong)filelength(fileno(fp))) {
lprintf(LOG_INFO, "Truncating file to %lu bytes", (ulong)file_bytes);
@@ -3292,7 +3292,7 @@ apc_handler(char *strbuf, size_t slen, void *apcd)
char fn_root[MAX_PATH + 1];
FILE *f;
size_t rc;
- size_t sz;
+ off_t off;
char *p;
char *buf;
struct bbslist *bbs = apcd;
@@ -3412,20 +3412,29 @@ apc_handler(char *strbuf, size_t slen, void *apcd)
return;
if (!fexist(fn))
return;
- sz = flength(fn);
+ off = flength(fn);
+ switch (off) {
+ case 4096:
+ case 3584:
+ case 2048:
+ // Only supported values.
+ break;
+ default:
+ return;
+ }
f = fopen(fn, "rb");
if (f) {
- buf = malloc(sz);
+ buf = malloc(off);
if (buf == NULL) {
fclose(f);
return;
}
- if (fread(buf, sz, 1, f) != 1) {
+ if (fread(buf, off, 1, f) != 1) {
fclose(f);
free(buf);
return;
}
- switch (sz) {
+ switch (off) {
case 4096:
FREE_AND_NULL(conio_fontdata[cterm->font_slot].eight_by_sixteen);
conio_fontdata[cterm->font_slot].eight_by_sixteen = buf;
diff --git a/src/xpdev/xpprintf.c b/src/xpdev/xpprintf.c
index 34ef165b8ec6bc76997b19c5d2282a926ef0737b..f8bb3209526a9d5488d3686cfaf7b34966768b18 100644
--- a/src/xpdev/xpprintf.c
+++ b/src/xpdev/xpprintf.c
@@ -1374,10 +1374,8 @@ char* xp_vasprintf(const char *format, va_list va)
next=xp_asprintf_next(working, type, va_arg(va, size_t));
break;
}
- if(next==NULL) {
- free(working);
+ if(next==NULL)
return(NULL);
- }
working=next;
}
next=xp_asprintf_end(working, NULL);