"Fix" low-hanging fruit Coverity issues.

src/sftp/sftp_pkt.c

@@ -170,6 +170,9 @@ sftp_getstring(sftp_rx_pkt_t pkt)
 {
 	assert(pkt);
 	uint32_t sz = sftp_get32(pkt);
+	// Expressed this way so Coverity untaints it...
+	if (sz > pkt->sz - sizeof(sz) - offsetof(struct sftp_rx_pkt, data) - pkt->cur)
+		return NULL;
 	if (pkt->cur + offsetof(struct sftp_rx_pkt, data) + sizeof(sz) > pkt->sz)
 		return NULL;
 	sftp_str_t ret = sftp_memdup(&pkt->data[pkt->cur], sz);
@@ -204,6 +207,7 @@ sftp_rx_pkt_append(sftp_rx_pkt_t *pktp, uint8_t *inbuf, uint32_t len)
 	else {
 		old_used = pkt->used;
 		old_sz = pkt->sz;
+		old_cur = pkt->cur;
 		new_sz = offsetof(struct sftp_rx_pkt, len) + pkt->used + len;
 	}
 	if (new_sz > old_sz) {
@@ -287,11 +291,13 @@ sftp_tx_pkt_reset(sftp_tx_pkt_t *pktp)
 	return true;
 }
 
+#define APPEND_TX_DATA_PTR(pkt) (&((uint8_t *)pkt)[pkt->used + offsetof(struct sftp_tx_pkt, type)])
+
 #define APPEND_FUNC_BODY(var)                                                                     \
 	if (!grow_tx(pktp, sizeof(var)))                                                           \
 		return false;                                                                       \
 	sftp_tx_pkt_t pkt = *pktp;                                                                   \
-	memcpy(&((uint8_t *)pkt)[pkt->used + offsetof(struct sftp_tx_pkt, type)], &var, sizeof(var)); \
+	memcpy(APPEND_TX_DATA_PTR(pkt), &var, sizeof(var)); \
 	pkt->used += sizeof(var);                                                                      \
 	return true
 
@@ -333,7 +339,7 @@ sftp_appendstring(sftp_tx_pkt_t *pktp, sftp_str_t s)
 		return false;
 	}
 	sftp_tx_pkt_t pkt = *pktp;
-	memcpy(&(&pkt->type)[pkt->used], (uint8_t *)s->c_str, s->len);
+	memcpy(&((uint8_t *)pkt)[pkt->used + offsetof(struct sftp_tx_pkt, type)], (uint8_t *)s->c_str, s->len);
 	pkt->used += s->len;
 	return true;
 }
@@ -352,9 +358,7 @@ sftp_appendcstring(sftp_tx_pkt_t *pktp, const char *str)
 		oldused = (*pktp)->used;
 	assert(str);
 	if (str == NULL)
-		oldused = 0;
-	else
-		oldused = (*pktp)->used;
+		return false;
 	sz = strlen(str);
 	if (sz > UINT32_MAX)
 		return false;
@@ -367,7 +371,7 @@ sftp_appendcstring(sftp_tx_pkt_t *pktp, const char *str)
 		return false;
 	}
 	sftp_tx_pkt_t pkt = *pktp;
-	memcpy(&(&pkt->type)[pkt->used], str, len);
+	memcpy(APPEND_TX_DATA_PTR(pkt), str, len);
 	pkt->used += len;
 	return true;
 }

src/sftp/sftp_server.c

@@ -19,6 +19,8 @@ static sftp_str_t
 getcstring(sftps_state_t state)
 {
 	sftp_str_t str = getstring(state);
+	if (str == NULL)
+		return NULL;
 	if (memchr(str->c_str, 0, str->len) != NULL) {
 		free_sftp_str(str);
 		return NULL;

src/syncterm/term.c

@@ -2035,9 +2035,9 @@ xmodem_download(struct bbslist *bbs, long mode, char *path)
                 /* Use correct file size */
 		fflush(fp);
 
-		lprintf(LOG_DEBUG, "file_bytes=%u", file_bytes);
-		lprintf(LOG_DEBUG, "file_bytes_left=%u", file_bytes_left);
-		lprintf(LOG_DEBUG, "filelength=%u", filelength(fileno(fp)));
+		lprintf(LOG_DEBUG, "file_bytes=%" PRId64, file_bytes);
+		lprintf(LOG_DEBUG, "file_bytes_left=%" PRId64, file_bytes_left);
+		lprintf(LOG_DEBUG, "filelength=%" PRIuOFF, filelength(fileno(fp)));
 
 		if (file_bytes < (ulong)filelength(fileno(fp))) {
 			lprintf(LOG_INFO, "Truncating file to %lu bytes", (ulong)file_bytes);
@@ -3292,7 +3292,7 @@ apc_handler(char *strbuf, size_t slen, void *apcd)
 	char            fn_root[MAX_PATH + 1];
 	FILE           *f;
 	size_t          rc;
-	size_t          sz;
+	off_t           off;
 	char           *p;
 	char           *buf;
 	struct bbslist *bbs = apcd;
@@ -3412,20 +3412,29 @@ apc_handler(char *strbuf, size_t slen, void *apcd)
 			return;
 		if (!fexist(fn))
 			return;
-		sz = flength(fn);
+		off = flength(fn);
+		switch (off) {
+			case 4096:
+			case 3584:
+			case 2048:
+				// Only supported values.
+				break;
+			default:
+				return;
+		}
 		f = fopen(fn, "rb");
 		if (f) {
-			buf = malloc(sz);
+			buf = malloc(off);
 			if (buf == NULL) {
 				fclose(f);
 				return;
 			}
-			if (fread(buf, sz, 1, f) != 1) {
+			if (fread(buf, off, 1, f) != 1) {
 				fclose(f);
 				free(buf);
 				return;
 			}
-			switch (sz) {
+			switch (off) {
 				case 4096:
 					FREE_AND_NULL(conio_fontdata[cterm->font_slot].eight_by_sixteen);
 					conio_fontdata[cterm->font_slot].eight_by_sixteen = buf;

src/xpdev/xpprintf.c

@@ -1374,10 +1374,8 @@ char* xp_vasprintf(const char *format, va_list va)
 				next=xp_asprintf_next(working, type, va_arg(va, size_t));
 				break;
 		}
-		if(next==NULL) {
-			free(working);
+		if(next==NULL)
 			return(NULL);
-		}
 		working=next;
 	}
 	next=xp_asprintf_end(working, NULL);