Krzysztof Kowalczyk notes that 'etastr' can overflow if the times involved

[u/mdw/putty] / scp.c

diff --git a/scp.c b/scp.c
index 781e375..06bf089 100644 (file)
--- a/scp.c
+++ b/scp.c
@@ -470,7 +470,7 @@ static void print_stats(char *name, unsigned long size, unsigned long done,
 {
     float ratebs;
     unsigned long eta;
-    char etastr[10];
+    char *etastr;
     int pct;
     int len;
     int elap;
@@ -486,8 +486,8 @@ static void print_stats(char *name, unsigned long size, unsigned long done,
        eta = size - done;
     else
        eta = (unsigned long) ((size - done) / ratebs);
-    sprintf(etastr, "%02ld:%02ld:%02ld",
-           eta / 3600, (eta % 3600) / 60, eta % 60);
+    etastr = dupprintf("%02ld:%02ld:%02ld",
+                      eta / 3600, (eta % 3600) / 60, eta % 60);
 
     pct = (int) (100 * (done * 1.0 / size));
 
@@ -506,6 +506,8 @@ static void print_stats(char *name, unsigned long size, unsigned long done,
 
        fflush(stdout);
     }
+
+    free(etastr);
 }
 
 /*
@@ -1833,11 +1835,12 @@ static void sink(char *targ, char *src)
        received = 0;
        while (received < act.size) {
            char transbuf[4096];
-           int blksize, read;
+           unsigned long blksize;
+           int read;
            blksize = 4096;
-           if (blksize > (int)(act.size - received))
+           if (blksize > (act.size - received))
                blksize = act.size - received;
-           read = scp_recv_filedata(transbuf, blksize);
+           read = scp_recv_filedata(transbuf, (int)blksize);
            if (read <= 0)
                bump("Lost connection");
            if (wrerror)