The following diffs fix negative index array accesses. For the path_append diff, if the first path is empty the second path is just duplicated without a '/'. Is this correct? -Ray- Index: misc.c ==================================================================RCS file: /home/ray/openbsd/src/usr.bin/ssh/misc.c,v retrieving revision 1.64 diff -u -p -r1.64 misc.c --- misc.c 3 Aug 2006 03:34:42 -0000 1.64 +++ misc.c 2 Nov 2006 20:05:41 -0000 @@ -604,11 +604,15 @@ read_keyfile_line(FILE *f, const char *f { while (fgets(buf, bufsz, f) != NULL) { (*lineno)++; - if (buf[strlen(buf) - 1] == '\n' || feof(f)) { + if (buf[0] != '\0' && buf[strlen(buf) - 1] == '\n' || feof(f)) { return 0; } else { - debug("%s: %s line %lu exceeds size limit", __func__, - filename, *lineno); + if (buf[0] != '\0') + debug("%s: %s line %lu exceeds size limit", + __func__, filename, *lineno); + else + debug("%s: %s line %lu contains a NUL character", + __func__, filename, *lineno); /* discard remainder of line */ while (fgetc(f) != '\n' && !feof(f)) ; /* nothing */ Index: sftp.c ==================================================================RCS file: /home/ray/openbsd/src/usr.bin/ssh/sftp.c,v retrieving revision 1.93 diff -u -p -r1.93 sftp.c --- sftp.c 30 Sep 2006 17:48:22 -0000 1.93 +++ sftp.c 2 Nov 2006 20:14:58 -0000 @@ -286,11 +286,11 @@ static char * path_append(char *p1, char *p2) { char *ret; - int len = strlen(p1) + strlen(p2) + 2; + size_t len = strlen(p1) + strlen(p2) + 2; ret = xmalloc(len); strlcpy(ret, p1, len); - if (p1[strlen(p1) - 1] != '/') + if (p1[0] != '\0' && p1[strlen(p1) - 1] != '/') strlcat(ret, "/", len); strlcat(ret, p2, len);