===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/scp.c,v
retrieving revision 1.162
retrieving revision 1.163
diff -u -r1.162 -r1.163
--- src/usr.bin/ssh/scp.c	2008/01/01 09:06:39	1.162
+++ src/usr.bin/ssh/scp.c	2008/06/13 18:55:22	1.163
@@ -1,4 +1,4 @@
-/* $OpenBSD: scp.c,v 1.162 2008/01/01 09:06:39 dtucker Exp $ */
+/* $OpenBSD: scp.c,v 1.163 2008/06/13 18:55:22 dtucker Exp $ */
 /*
  * scp - secure remote copy.  This is basically patched BSD rcp which
  * uses ssh to do the data transfer (instead of using rcmd).
@@ -607,7 +607,8 @@
 	struct stat stb;
 	static BUF buffer;
 	BUF *bp;
-	off_t i, amt, statbytes;
+	off_t i, statbytes;
+	size_t amt;
 	int fd = -1, haderr, indx;
 	char *last, *name, buf[2048], encname[MAXPATHLEN];
 	int len;
@@ -628,6 +629,10 @@
 syserr:			run_err("%s: %s", name, strerror(errno));
 			goto next;
 		}
+		if (stb.st_size < 0) {
+			run_err("%s: %s", name, "Negative file size");
+			goto next;
+		}
 		unset_nonblock(fd);
 		switch (stb.st_mode & S_IFMT) {
 		case S_IFREG:
@@ -687,7 +692,7 @@
 		set_nonblock(remout);
 		for (haderr = i = 0; i < stb.st_size; i += bp->cnt) {
 			amt = bp->cnt;
-			if (i + amt > stb.st_size)
+			if (i + (off_t)amt > stb.st_size)
 				amt = stb.st_size - i;
 			if (!haderr) {
 				if (atomicio(read, fd, bp->buf, amt) != amt)