sudoers plugin: silence most -Wconversion warnings.

plugins/sudoers/alias.c

@@ -67,7 +67,7 @@ alias_compare(const void *v1, const void *v2)
  */
 struct alias *
 alias_get(const struct sudoers_parse_tree *parse_tree, const char *name,
-    int type)
+    short type)
 {
     struct alias key;
     struct rbnode *node;
@@ -114,8 +114,9 @@ alias_put(struct alias *a)
  * Returns true on success and false on failure, setting errno.
  */
 bool
-alias_add(struct sudoers_parse_tree *parse_tree, char *name, int type,
+alias_add(struct sudoers_parse_tree *parse_tree, char *name,
-    char *file, int line, int column, struct member *members)
+    short type, char *file, int line, int column,
+    struct member *members)
 {
     struct alias *a;
     debug_decl(alias_add, SUDOERS_DEBUG_ALIAS);
@@ -228,7 +229,8 @@ alias_free(void *v)
  * Find the named alias, remove it from the tree and return it.
  */
 struct alias *
-alias_remove(struct sudoers_parse_tree *parse_tree, const char *name, int type)
+alias_remove(struct sudoers_parse_tree *parse_tree, const char *name,
+    short type)
 {
     struct rbnode *node;
     struct alias key;
@@ -262,7 +264,7 @@ free_aliases(struct rbtree *aliases)
 }
 
 const char *
-alias_type_to_string(int alias_type)
+alias_type_to_string(short alias_type)
 {
     return alias_type == HOSTALIAS ? "Host_Alias" :
 	alias_type == CMNDALIAS ? "Cmnd_Alias" :
@@ -277,7 +279,7 @@ alias_type_to_string(int alias_type)
  */
 static bool
 alias_remove_recursive(struct sudoers_parse_tree *parse_tree, char *name,
-    int type, struct rbtree *freelist)
+    short type, struct rbtree *freelist)
 {
     struct member *m;
     struct alias *a;
@@ -299,7 +301,7 @@ alias_remove_recursive(struct sudoers_parse_tree *parse_tree, char *name,
 
 static int
 alias_find_used_members(struct sudoers_parse_tree *parse_tree,
-    struct member_list *members, int atype, struct rbtree *used_aliases)
+    struct member_list *members, short atype, struct rbtree *used_aliases)
 {
     struct member *m;
     int errors = 0;

plugins/sudoers/auth/pam.c

@@ -683,7 +683,8 @@ converse(int num_msg, PAM_CONST struct pam_message **msg,
     sudo_debug_printf(SUDO_DEBUG_DEBUG|SUDO_DEBUG_LINENO,
 	"number of PAM messages: %d", num_msg);
 
-    if ((reply = calloc(num_msg, sizeof(struct pam_response))) == NULL) {
+    reply = calloc((size_t)num_msg, sizeof(struct pam_response));
+    if (reply == NULL) {
 	sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
 	debug_return_int(PAM_BUF_ERR);
     }

plugins/sudoers/auth/sudo_auth.c

@@ -465,7 +465,7 @@ auth_getpass(const char *prompt, int type, struct sudo_conv_callback *callback)
     /* Call conversation function. */
     memset(&msg, 0, sizeof(msg));
     msg.msg_type = type;
-    msg.timeout = def_passwd_timeout.tv_sec;
+    msg.timeout = (int)def_passwd_timeout.tv_sec;
     msg.msg = prompt;
     memset(&repl, 0, sizeof(repl));
     sudo_conv(1, &msg, &repl, callback);

plugins/sudoers/b64_encode.c

@@ -43,14 +43,14 @@ base64_encode(const unsigned char *in, size_t in_len, char *out, size_t out_len)
 	    rem -= 6;
 	    if (io >= out_len)
 		debug_return_size_t((size_t)-1); /* truncation is failure */
-	    out[io++] = base64enc_tab[(v >> rem) & 63];
+	    out[io++] = (char)base64enc_tab[(v >> rem) & 63];
 	}
     }
     if (rem != 0) {
 	v <<= (6 - rem);
 	if (io >= out_len)
 	    debug_return_size_t((size_t)-1); /* truncation is failure */
-	out[io++] = base64enc_tab[v&63];
+	out[io++] = (char)base64enc_tab[v&63];
     }
     while (io & 3) {
 	if (io >= out_len)

plugins/sudoers/check_aliases.c

@@ -1,7 +1,7 @@
 /*
  * SPDX-License-Identifier: ISC
  *
- * Copyright (c) 2004-2005, 2007-2018, 2021-2022
+ * Copyright (c) 2004-2005, 2007-2018, 2021-2023
  *	Todd C. Miller <Todd.Miller@sudo.ws>
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -109,7 +109,7 @@ alias_warnx(const char *file, int line, int column, bool strict, bool quiet,
 
 static int
 check_alias(struct sudoers_parse_tree *parse_tree,
-    struct alias_warned_list *warned, char *name, int type,
+    struct alias_warned_list *warned, char *name, short type,
     char *file, int line, int column, bool strict, bool quiet)
 {
     struct member *m;

plugins/sudoers/cvtsudoers.c

@@ -206,7 +206,8 @@ main(int argc, char *argv[])
 	    }
 	    break;
 	case 'I':
-	    conf->order_increment = sudo_strtonum(optarg, 1, UINT_MAX, &errstr);
+	    conf->order_increment =
+		(unsigned int)sudo_strtonum(optarg, 1, UINT_MAX, &errstr);
 	    if (errstr != NULL) {
 		sudo_warnx(U_("order increment: %s: %s"), optarg, U_(errstr));
 		usage();
@@ -225,7 +226,8 @@ main(int argc, char *argv[])
 	    output_file = optarg;
 	    break;
 	case 'O':
-	    conf->sudo_order = sudo_strtonum(optarg, 0, UINT_MAX, &errstr);
+	    conf->sudo_order =
+		(unsigned int)sudo_strtonum(optarg, 0, UINT_MAX, &errstr);
 	    if (errstr != NULL) {
 		sudo_warnx(U_("starting order: %s: %s"), optarg, U_(errstr));
 		usage();
@@ -235,7 +237,8 @@ main(int argc, char *argv[])
 	    conf->prune_matches = true;
 	    break;
 	case 'P':
-	    conf->order_padding = sudo_strtonum(optarg, 1, UINT_MAX, &errstr);
+	    conf->order_padding =
+		(unsigned int)sudo_strtonum(optarg, 1, UINT_MAX, &errstr);
 	    if (errstr != NULL ) {
 		sudo_warnx(U_("order padding: %s: %s"), optarg, U_(errstr));
 		usage();
@@ -522,8 +525,8 @@ cvtsudoers_parse_keyword(const char *conf_file, const char *keyword,
 		break;
 	    case CONF_UINT:
 		{
-		    unsigned int uval = 
+		    unsigned int uval =
-			sudo_strtonum(value, 0, UINT_MAX, &errstr);
+			(unsigned int)sudo_strtonum(value, 0, UINT_MAX, &errstr);
 		    if (errstr != NULL) {
 			sudo_warnx(U_("%s: %s: %s: %s"),
 			    conf_file, keyword, value, U_(errstr));
@@ -590,7 +593,7 @@ cvtsudoers_conf_read(const char *path)
 	keyword = line;
 	if ((value = strchr(line, '=')) == NULL || value == line)
 	    continue;
-	len = value - line;
+	len = (size_t)(value - line);
 
 	/* Trim whitespace after keyword and NUL-terminate. */
 	while (len > 0 && isblank((unsigned char)line[len - 1]))
@@ -870,7 +873,7 @@ hostlist_matches_filter(struct sudoers_parse_tree *parse_tree,
     char *lhost, *shost;
     bool ret = false;
     char **shosts;
-    int n = 0;
+    size_t n = 0;
     debug_decl(hostlist_matches_filter, SUDOERS_DEBUG_UTIL);
 
     if (filters == NULL || STAILQ_EMPTY(&filters->hosts))
@@ -1132,7 +1135,7 @@ filter_userspecs(struct sudoers_parse_tree *parse_tree,
  */
 static bool
 alias_matches(struct sudoers_parse_tree *parse_tree, const char *name,
-    const char *alias_name, int alias_type)
+    const char *alias_name, short alias_type)
 {
     struct alias *a;
     struct member *m;
@@ -1249,7 +1252,7 @@ alias_used_by_userspecs(struct sudoers_parse_tree *parse_tree,
  */
 static void
 free_aliases_by_members(struct sudoers_parse_tree *parse_tree,
-    struct member_list *members, int type)
+    struct member_list *members, short type)
 {
     struct member *m;
     struct alias *a;
@@ -1277,7 +1280,7 @@ filter_defaults(struct sudoers_parse_tree *parse_tree,
     struct member_list cmnd_aliases = TAILQ_HEAD_INITIALIZER(cmnd_aliases);
     struct defaults *def, *def_next;
     struct member *m, *m_next;
-    int alias_type;
+    short alias_type;
     debug_decl(filter_defaults, SUDOERS_DEBUG_DEFAULTS);
 
     if (filters == NULL && conf->defaults == CVT_DEFAULTS_ALL)

plugins/sudoers/cvtsudoers.h

@@ -48,8 +48,8 @@ struct cvtsudoers_config {
     unsigned int order_increment;
     unsigned int order_padding;
     unsigned int order_max;
-    short defaults;
+    int defaults;
-    short suppress;
+    int suppress;
     bool store_options;
     bool expand_aliases;
     bool prune_matches;

plugins/sudoers/cvtsudoers_csv.c

@@ -36,7 +36,7 @@
 #include "cvtsudoers.h"
 #include <gram.h>
 
-static void print_member_list_csv(FILE *fp, const struct sudoers_parse_tree *parse_tree, struct member_list *members, bool negated, int alias_type, bool expand_aliases);
+static void print_member_list_csv(FILE *fp, const struct sudoers_parse_tree *parse_tree, struct member_list *members, bool negated, short alias_type, bool expand_aliases);
 
 /*
  * Print sudoOptions from a defaults_list.
@@ -88,7 +88,7 @@ defaults_type_to_string(int defaults_type)
 /*
  * Map a Defaults type to an alias type.
  */
-static int
+static short
 defaults_to_alias_type(int defaults_type)
 {
     switch (defaults_type) {
@@ -185,7 +185,7 @@ format_cmnd(struct sudo_command *c, bool negated)
 
     cp = buf;
     TAILQ_FOREACH(digest, &c->digests, entries) {
-	len = snprintf(cp, bufsiz - (cp - buf), "%s:%s%s ", 
+	len = snprintf(cp, bufsiz - (size_t)(cp - buf), "%s:%s%s ", 
 	    digest_type_to_name(digest->digest_type), digest->digest_str,
 	    TAILQ_NEXT(digest, entries) ? "," : "");
 	if (len < 0 || len >= (int)bufsiz - (cp - buf))
@@ -193,8 +193,8 @@ format_cmnd(struct sudo_command *c, bool negated)
 	cp += len;
     }
 
-    len = snprintf(cp, bufsiz - (cp - buf), "%s%s%s%s", negated ? "!" : "",
+    len = snprintf(cp, bufsiz - (size_t)(cp - buf), "%s%s%s%s",
-	cmnd, c->args ? " " : "", c->args ? c->args : "");
+	negated ? "!" : "", cmnd, c->args ? " " : "", c->args ? c->args : "");
     if (len < 0 || len >= (int)bufsiz - (cp - buf))
 	sudo_fatalx(U_("internal error, %s overflow"), __func__);
 
@@ -207,7 +207,7 @@ format_cmnd(struct sudo_command *c, bool negated)
  */
 static void
 print_member_csv(FILE *fp, const struct sudoers_parse_tree *parse_tree,
-    char *name, int type, bool negated, bool quoted, int alias_type,
+    char *name, int type, bool negated, bool quoted, short alias_type,
     bool expand_aliases)
 {
     struct alias *a;
@@ -260,7 +260,7 @@ print_member_csv(FILE *fp, const struct sudoers_parse_tree *parse_tree,
  */
 static void
 print_member_list_csv(FILE *fp, const struct sudoers_parse_tree *parse_tree,
-    struct member_list *members, bool negated, int alias_type,
+    struct member_list *members, bool negated, short alias_type,
     bool expand_aliases)
 {
     struct member *m, *next;
@@ -292,7 +292,7 @@ print_defaults_binding_csv(FILE *fp,
     const struct sudoers_parse_tree *parse_tree,
      struct defaults_binding *binding, int type, bool expand_aliases)
 {
-    int alias_type;
+    short alias_type;
     debug_decl(print_defaults_binding_csv, SUDOERS_DEBUG_UTIL);
 
     if (type != DEFAULTS) {
@@ -432,7 +432,7 @@ print_cmndspec_csv(FILE *fp, const struct sudoers_parse_tree *parse_tree,
     struct member *m;
     struct tm gmt;
     bool last_one, quoted = false;
-    int len;
+    size_t len;
     debug_decl(print_cmndspec_csv, SUDOERS_DEBUG_UTIL);
 
     if (cs->runasuserlist != NULL) {

plugins/sudoers/cvtsudoers_json.c

@@ -42,7 +42,7 @@ struct json_alias_closure {
     struct json_container *jsonc;
     const char *title;
     unsigned int count;
-    int alias_type;
+    short alias_type;
 };
 
 /*
@@ -115,7 +115,7 @@ print_command_json(struct json_container *jsonc, const char *name, bool negated)
  * Map an alias type to enum word_type.
  */
 static enum word_type
-alias_to_word_type(int alias_type)
+alias_to_word_type(short alias_type)
 {
     switch (alias_type) {
     case CMNDALIAS:
@@ -162,7 +162,7 @@ print_member_json_int(struct json_container *jsonc,
     struct json_value value;
     const char *typestr = NULL;
     const char *errstr;
-    int alias_type = UNSPEC;
+    short alias_type = UNSPEC;
     id_t id;
     debug_decl(print_member_json_int, SUDOERS_DEBUG_UTIL);
 
@@ -535,7 +535,7 @@ print_defaults_json(struct json_container *jsonc,
  */
 static void
 print_aliases_by_type_json(struct json_container *jsonc,
-    const struct sudoers_parse_tree *parse_tree, int alias_type,
+    const struct sudoers_parse_tree *parse_tree, short alias_type,
     const char *title)
 {
     struct json_alias_closure closure;
@@ -608,7 +608,7 @@ print_cmndspec_json(struct json_container *jsonc,
     struct defaults *def;
     struct member *m;
     struct tm gmt;
-    int len;
+    size_t len;
     debug_decl(print_cmndspec_json, SUDOERS_DEBUG_UTIL);
 
     /* Open Cmnd_Spec object. */

plugins/sudoers/cvtsudoers_ldif.c

@@ -67,7 +67,8 @@ seen_user_free(void *v)
 static bool
 safe_string(const char *str)
 {
-    unsigned int ch = *str++;
+    const unsigned char *ustr = (const unsigned char *)str;
+    unsigned char ch = *ustr++;
     debug_decl(safe_string, SUDOERS_DEBUG_UTIL);
 
     /* Initial char must be <= 127 and not LF, CR, SPACE, ':', '<' */
@@ -86,7 +87,7 @@ safe_string(const char *str)
     }
 
     /* Any value <= 127 decimal except NUL, LF, and CR is safe */
-    while ((ch = *str++) != '\0') {
+    while ((ch = *ustr++) != '\0') {
 	if (ch > 127 || ch == '\n' || ch == '\r')
 	    debug_return_bool(false);
     }
@@ -237,7 +238,7 @@ format_cmnd(struct sudo_command *c, bool negated)
 
     cp = buf;
     TAILQ_FOREACH(digest, &c->digests, entries) {
-	len = snprintf(cp, bufsiz - (cp - buf), "%s:%s%s ", 
+	len = snprintf(cp, bufsiz - (size_t)(cp - buf), "%s:%s%s ", 
 	    digest_type_to_name(digest->digest_type), digest->digest_str,
 	    TAILQ_NEXT(digest, entries) ? "," : "");
 	if (len < 0 || len >= (int)bufsiz - (cp - buf))
@@ -245,8 +246,8 @@ format_cmnd(struct sudo_command *c, bool negated)
 	cp += len;
     }
 
-    len = snprintf(cp, bufsiz - (cp - buf), "%s%s%s%s", negated ? "!" : "",
+    len = snprintf(cp, bufsiz - (size_t)(cp - buf), "%s%s%s%s",
-	cmnd, c->args ? " " : "", c->args ? c->args : "");
+	negated ? "!" : "", cmnd, c->args ? " " : "", c->args ? c->args : "");
     if (len < 0 || len >= (int)bufsiz - (cp - buf))
 	sudo_fatalx(U_("internal error, %s overflow"), __func__);
 
@@ -259,7 +260,8 @@ format_cmnd(struct sudo_command *c, bool negated)
  */
 static void
 print_member_ldif(FILE *fp, const struct sudoers_parse_tree *parse_tree,
-    char *name, int type, bool negated, int alias_type, const char *attr_name)
+    char *name, int type, bool negated, short alias_type,
+    const char *attr_name)
 {
     struct alias *a;
     struct member *m;
@@ -322,7 +324,7 @@ print_cmndspec_ldif(FILE *fp, const struct sudoers_parse_tree *parse_tree,
     struct tm gmt;
     char *attr_val;
     bool last_one;
-    int len;
+    size_t len;
     debug_decl(print_cmndspec_ldif, SUDOERS_DEBUG_UTIL);
 
     /* Print runasuserlist as sudoRunAsUser attributes */

plugins/sudoers/cvtsudoers_merge.c

@@ -37,7 +37,7 @@
 #include <gram.h>
 
 static struct member *
-new_member(const char *name, int type)
+new_member(const char *name, short type)
 {
     struct member *m;
     debug_decl(digest_list_equivalent, SUDOERS_DEBUG_PARSER);
@@ -324,7 +324,7 @@ simplify_host_list(struct member_list *hosts, const char *file, int line,
  * subsequent parse_trees or merged_tree.
  */
 static char *
-alias_make_unique(const char *old_name, int type,
+alias_make_unique(const char *old_name, short type,
     struct sudoers_parse_tree *parse_tree0,
     struct sudoers_parse_tree *merged_tree)
 {
@@ -407,7 +407,7 @@ alias_rename_members(struct sudoers_parse_tree *parse_tree, struct alias *a,
 
 static void
 alias_rename_defaults(const char *old_name, const char *new_name,
-    int alias_type, struct defaults_list *defaults)
+    short alias_type, struct defaults_list *defaults)
 {
     struct defaults *def, *def_next;
     struct member *m;
@@ -489,7 +489,7 @@ alias_rename_member_list(const char *old_name, const char *new_name,
 
 static bool
 alias_rename_userspecs(const char *old_name, const char *new_name,
-    int alias_type, struct userspec_list *userspecs)
+    short alias_type, struct userspec_list *userspecs)
 {
     struct privilege *priv;
     struct cmndspec *cs;
@@ -531,8 +531,8 @@ alias_rename_userspecs(const char *old_name, const char *new_name,
  * Rename an alias in parse_tree and all the places where it is used.
  */
 static bool
-alias_rename(const char *old_name, const char *new_name, int alias_type,
+alias_rename(const char *old_name, const char *new_name,
-    struct sudoers_parse_tree *parse_tree)
+    short alias_type, struct sudoers_parse_tree *parse_tree)
 {
     struct alias_rename_closure closure = { old_name, new_name, alias_type };
     struct alias *a;

plugins/sudoers/cvtsudoers_pwutil.c

@@ -325,7 +325,7 @@ cvtsudoers_make_gidlist_item(const struct passwd *pw, char * const *unused1,
 
     /* Allocate gids[] array and fill it with parsed gids. */
     if (ngids != 0) {
-	gids = reallocarray(NULL, ngids, sizeof(GETGROUPS_T));
+	gids = reallocarray(NULL, (size_t)ngids, sizeof(GETGROUPS_T));
 	if (gids == NULL) {
 	    sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
 		"unable to allocate memory");
@@ -352,7 +352,7 @@ cvtsudoers_make_gidlist_item(const struct passwd *pw, char * const *unused1,
     /* Allocate in one big chunk for easy freeing. */
     nsize = strlen(pw->pw_name) + 1;
     total = sizeof(*glitem) + nsize;
-    total += sizeof(gid_t *) * ngids;
+    total += sizeof(gid_t *) * (size_t)ngids;
 
     if ((glitem = calloc(1, total)) == NULL) {
 	sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
@@ -369,7 +369,7 @@ cvtsudoers_make_gidlist_item(const struct passwd *pw, char * const *unused1,
     gidlist = &glitem->gidlist;
     cp = (char *)(glitem + 1);
     gidlist->gids = (gid_t *)cp;
-    cp += sizeof(gid_t) * ngids;
+    cp += sizeof(gid_t) * (size_t)ngids;
 
     /* Set key and datum. */
     memcpy(cp, pw->pw_name, nsize);
@@ -421,7 +421,7 @@ cvtsudoers_make_grlist_item(const struct passwd *pw, char * const *unused1)
     }
 
 #ifdef _SC_LOGIN_NAME_MAX
-    groupname_len = MAX(sysconf(_SC_LOGIN_NAME_MAX), 32);
+    groupname_len = MAX((size_t)sysconf(_SC_LOGIN_NAME_MAX), 32);
 #else
     groupname_len = MAX(LOGIN_NAME_MAX, 32);
 #endif
@@ -469,7 +469,7 @@ again:
 	    }
 	}
 	len = strlen(s->str) + 1;
-	if (cp - (char *)grlitem + len > total) {
+	if ((size_t)(cp - (char *)grlitem) + len > total) {
 	    total += len + groupname_len;
 	    free(grlitem);
 	    goto again;
@@ -478,7 +478,7 @@ again:
 	grlist->groups[ngroups++] = cp;
 	cp += len;
     }
-    grlist->ngroups = ngroups;
+    grlist->ngroups = (int)ngroups;
 
     debug_return_ptr(&grlitem->cache);
 }

plugins/sudoers/defaults.c

@@ -131,8 +131,8 @@ dump_defaults(void)
 		    break;
 		case T_TIMESPEC: {
 		    /* display timespec in minutes as a double */
-		    double d = cur->sd_un.tspec.tv_sec +
+		    double d = (double)cur->sd_un.tspec.tv_sec +
-			(cur->sd_un.tspec.tv_nsec / 1000000000.0);
+			((double)cur->sd_un.tspec.tv_nsec / 1000000000.0);
 		    sudo_printf(SUDO_CONV_INFO_MSG, desc, d / 60.0);
 		    sudo_printf(SUDO_CONV_INFO_MSG, "\n");
 		    break;
@@ -817,8 +817,7 @@ check_defaults(const struct sudoers_parse_tree *parse_tree, bool quiet)
 		continue;
 	    }
 	}
-	/* There was an error in the entry, flag it. */
+	/* There was an error in the entry. */
-	d->error = true;
 	ret = false;
     }
     debug_return_bool(ret);
@@ -834,7 +833,7 @@ store_int(const char *str, struct sudo_defs_types *def)
     if (str == NULL) {
 	def->sd_un.ival = 0;
     } else {
-	i = sudo_strtonum(str, INT_MIN, INT_MAX, &errstr);
+	i = (int)sudo_strtonum(str, INT_MIN, INT_MAX, &errstr);
 	if (errstr != NULL) {
 	    sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
 		"%s: %s", str, errstr);
@@ -855,7 +854,7 @@ store_uint(const char *str, struct sudo_defs_types *def)
     if (str == NULL) {
 	def->sd_un.uival = 0;
     } else {
-	u = sudo_strtonum(str, 0, UINT_MAX, &errstr);
+	u = (unsigned int)sudo_strtonum(str, 0, UINT_MAX, &errstr);
 	if (errstr != NULL) {
 	    sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
 		"%s: %s", str, errstr);
@@ -1043,7 +1042,7 @@ store_list(const char *str, struct sudo_defs_types *def, int op)
 	} else {
 	    for (cp = sudo_strsplit(str, end, " \t", &ep); cp != NULL;
 		cp = sudo_strsplit(NULL, end, " \t", &ep)) {
-		if (!list_op(cp, ep - cp, &def->sd_un.list, lop))
+		if (!list_op(cp, (size_t)(ep - cp), &def->sd_un.list, lop))
 		    debug_return_bool(false);
 	    }
 	}

plugins/sudoers/defaults.h

@@ -74,10 +74,10 @@ struct sudo_defs_types {
  * Defaults values to apply before others.
  */
 struct early_default {
-    short idx;
+    int idx;
-    short run_callback;
+    int run_callback;
-    short line;
+    int line;
-    short column;
+    int column;
     char *file;
 };
 

plugins/sudoers/display.c

@@ -343,7 +343,8 @@ display_bound_defaults_by_type(struct sudoers_parse_tree *parse_tree,
     struct defaults_binding *binding = NULL;
     struct member *m;
     const char *dsep;
-    int atype, nfound = 0;
+    short atype;
+    int nfound = 0;
     debug_decl(display_bound_defaults_by_type, SUDOERS_DEBUG_PARSER);
 
     switch (deftype) {
@@ -425,7 +426,7 @@ output(const char *buf)
     memset(&repl, 0, sizeof(repl));
     if (sudo_conv(1, &msg, &repl, NULL) == -1)
 	debug_return_int(0);
-    debug_return_int(strlen(buf));
+    debug_return_int((int)strlen(buf));
 }
 
 /*
@@ -437,8 +438,9 @@ display_privs(struct sudo_nss_list *snl, struct passwd *pw, bool verbose)
 {
     struct sudo_nss *nss;
     struct sudo_lbuf def_buf, priv_buf;
+    int cols, count, n;
+    unsigned int olen;
     struct stat sb;
-    int cols, count, olen, n;
     debug_decl(display_privs, SUDOERS_DEBUG_PARSER);
 
     cols = sudo_user.cols;

plugins/sudoers/editor.c

@@ -65,7 +65,7 @@ wordsplit(const char *str, const char *endstr, const char **last)
     if (*str == '"' || *str == '\'') {
 	const char *endquote;
 	for (cp = str + 1; cp < endstr; cp = endquote + 1) {
-	    endquote = memchr(cp, *str, endstr - cp);
+	    endquote = memchr(cp, *str, (size_t)(endstr - cp));
 	    if (endquote == NULL)
 		break;
 	    /* ignore escaped quotes */
@@ -142,7 +142,7 @@ resolve_editor(const char *ed, size_t edlen, int nfiles, char * const *files,
     cp = wordsplit(ed, edend, &ep);
     if (cp == NULL)
 	debug_return_str(NULL);
-    editor = copy_arg(cp, ep - cp);
+    editor = copy_arg(cp, (size_t)(ep - cp));
     if (editor == NULL)
 	goto oom;
 
@@ -158,7 +158,7 @@ resolve_editor(const char *ed, size_t edlen, int nfiles, char * const *files,
 	nargc++;
     if (nfiles != 0)
 	nargc += nfiles + 1;
-    nargv = reallocarray(NULL, nargc + 1, sizeof(char *));
+    nargv = reallocarray(NULL, (size_t)(nargc + 1), sizeof(char *));
     if (nargv == NULL)
 	goto oom;
     sudoers_gc_add(GC_PTR, nargv);
@@ -168,7 +168,7 @@ resolve_editor(const char *ed, size_t edlen, int nfiles, char * const *files,
     editor = NULL;
     for (nargc = 1; (cp = wordsplit(NULL, edend, &ep)) != NULL; nargc++) {
 	/* Copy string, collapsing chars escaped with a backslash. */
-	nargv[nargc] = copy_arg(cp, ep - cp);
+	nargv[nargc] = copy_arg(cp, (size_t)(ep - cp));
 	if (nargv[nargc] == NULL)
 	    goto oom;
 

plugins/sudoers/env.c

@@ -391,7 +391,7 @@ sudo_putenv_nodebug(char *str, bool dupcheck, bool overwrite)
 		    ep--;
 		}
 	    }
-	    env.env_len = ep - env.envp;
+	    env.env_len = (size_t)(ep - env.envp);
 	}
     }
 
@@ -1174,9 +1174,10 @@ validate_env_vars(char * const env_vars[])
 	if (okvar == false) {
 	    /* Not allowed, append to error buffer if space remains. */
 	    if (errpos < &errbuf[sizeof(errbuf)]) {
-		size_t varlen = strcspn(*ep, "=");
+		const size_t varlen = strcspn(*ep, "=");
-		int len = snprintf(errpos, sizeof(errbuf) - (errpos - errbuf),
+		const size_t errsize = sizeof(errbuf) - (size_t)(errpos - errbuf);
-		    "%s%.*s", errpos != errbuf ? ", " : "", (int)varlen, *ep);
+		int len = snprintf(errpos, errsize, "%s%.*s",
+		    errpos != errbuf ? ", " : "", (int)varlen, *ep);
 		if (len >= ssizeof(errbuf) - (errpos - errbuf)) {
 		    memcpy(&errbuf[sizeof(errbuf) - 4], "...", 4);
 		    errpos = &errbuf[sizeof(errbuf)];

plugins/sudoers/filedigest.c

@@ -45,7 +45,7 @@ sudo_filedigest(int fd, const char *file, unsigned int digest_type,
     int fd2;
     debug_decl(sudo_filedigest, SUDOERS_DEBUG_UTIL);
 
-    *digest_len = sudo_digest_getlen(digest_type);
+    *digest_len = (size_t)sudo_digest_getlen(digest_type);
     if (*digest_len == (size_t)-1) {
 	sudo_warnx(U_("unsupported digest type %u for %s"), digest_type, file);
 	debug_return_ptr(NULL);

plugins/sudoers/fmtsudoers.c

@@ -41,7 +41,7 @@
 static bool
 sudoers_format_member_int(struct sudo_lbuf *lbuf,
     const struct sudoers_parse_tree *parse_tree, char *name, int type,
-    bool negated, const char *separator, int alias_type)
+    bool negated, const char *separator, short alias_type)
 {
     struct alias *a;
     struct member *m;
@@ -137,7 +137,7 @@ sudoers_format_member_int(struct sudo_lbuf *lbuf,
 bool
 sudoers_format_member(struct sudo_lbuf *lbuf,
     const struct sudoers_parse_tree *parse_tree, struct member *m,
-    const char *separator, int alias_type)
+    const char *separator, short alias_type)
 {
     return sudoers_format_member_int(lbuf, parse_tree, m->name, m->type,
 	m->negated, separator, alias_type);

plugins/sudoers/fmtsudoers_cvt.c

@@ -168,7 +168,7 @@ sudoers_format_default_line(struct sudo_lbuf *lbuf,
     struct defaults **next, bool expand_aliases)
 {
     struct member *m;
-    int alias_type;
+    short alias_type;
     debug_decl(sudoers_format_default_line, SUDOERS_DEBUG_UTIL);
 
     /* Print Defaults type and binding (if present) */

plugins/sudoers/getdate.c

@@ -2188,7 +2188,7 @@ LookupWord(char *buff)
     /* Make it lowercase. */
     for (p = buff; *p; p++) {
 	if (isupper((unsigned char)*p))
-	    *p = tolower((unsigned char)*p);
+	    *p = (char)tolower((unsigned char)*p);
     }
     if ((bufflen = (int)(p - buff)) == 0)
 	return '\0';

plugins/sudoers/getdate.y

@@ -654,7 +654,7 @@ LookupWord(char *buff)
     /* Make it lowercase. */
     for (p = buff; *p; p++) {
 	if (isupper((unsigned char)*p))
-	    *p = tolower((unsigned char)*p);
+	    *p = (char)tolower((unsigned char)*p);
     }
     if ((bufflen = (int)(p - buff)) == 0)
 	return '\0';

plugins/sudoers/gram.c

@@ -2932,7 +2932,7 @@ yyreduce:
 #line 1024 "gram.y"
                               {
 			    alias_line = this_lineno;
-			    alias_column = sudolinebuf.toke_start + 1;
+			    alias_column = (int)sudolinebuf.toke_start + 1;
 			}
 #line 2932 "gram.c"
     break;
@@ -2965,7 +2965,7 @@ yyreduce:
 #line 1051 "gram.y"
                               {
 			    alias_line = this_lineno;
-			    alias_column = sudolinebuf.toke_start + 1;
+			    alias_column = (int)sudolinebuf.toke_start + 1;
 			}
 #line 2965 "gram.c"
     break;
@@ -2998,7 +2998,7 @@ yyreduce:
 #line 1078 "gram.y"
                               {
 			    alias_line = this_lineno;
-			    alias_column = sudolinebuf.toke_start + 1;
+			    alias_column = (int)sudolinebuf.toke_start + 1;
 			}
 #line 2998 "gram.c"
     break;
@@ -3021,7 +3021,7 @@ yyreduce:
 #line 1097 "gram.y"
                               {
 			    alias_line = this_lineno;
-			    alias_column = sudolinebuf.toke_start + 1;
+			    alias_column = (int)sudolinebuf.toke_start + 1;
 			}
 #line 3021 "gram.c"
     break;

plugins/sudoers/gram.y

@@ -1023,7 +1023,7 @@ hostaliases	:	hostalias
 
 hostalias	:	ALIAS {
 			    alias_line = this_lineno;
-			    alias_column = sudolinebuf.toke_start + 1;
+			    alias_column = (int)sudolinebuf.toke_start + 1;
 			} '=' hostlist {
 			    if (!alias_add(&parsed_policy, $1, HOSTALIAS,
 				sudoers, alias_line, alias_column, $4)) {
@@ -1050,7 +1050,7 @@ cmndaliases	:	cmndalias
 
 cmndalias	:	ALIAS {
 			    alias_line = this_lineno;
-			    alias_column = sudolinebuf.toke_start + 1;
+			    alias_column = (int)sudolinebuf.toke_start + 1;
 			} '=' cmndlist {
 			    if (!alias_add(&parsed_policy, $1, CMNDALIAS,
 				sudoers, alias_line, alias_column, $4)) {
@@ -1077,7 +1077,7 @@ runasaliases	:	runasalias
 
 runasalias	:	ALIAS {
 			    alias_line = this_lineno;
-			    alias_column = sudolinebuf.toke_start + 1;
+			    alias_column = (int)sudolinebuf.toke_start + 1;
 			} '=' userlist {
 			    if (!alias_add(&parsed_policy, $1, RUNASALIAS,
 				sudoers, alias_line, alias_column, $4)) {
@@ -1096,7 +1096,7 @@ useraliases	:	useralias
 
 useralias	:	ALIAS {
 			    alias_line = this_lineno;
-			    alias_column = sudolinebuf.toke_start + 1;
+			    alias_column = (int)sudolinebuf.toke_start + 1;
 			} '=' userlist {
 			    if (!alias_add(&parsed_policy, $1, USERALIAS,
 				sudoers, alias_line, alias_column, $4)) {

plugins/sudoers/group_plugin.c

@@ -80,7 +80,7 @@ group_plugin_fallback(char *path, size_t pathsize)
     }
 
     /* If directory ends in /lib/, try again with /lib/64/ or /lib64/. */
-    dirlen = slash - path;
+    dirlen = (int)(slash - path);
     if (dirlen < 4 || strncmp(slash - 4, "/lib", 4) != 0) {
 	goto done;
     }
@@ -98,7 +98,7 @@ group_plugin_fallback(char *path, size_t pathsize)
     if (dot == NULL) {
 	goto done;
     }
-    plen = dot - path;
+    plen = (int)(dot - path);
 
     /* If basename(path) doesn't match libfoo64.so, try adding the 64. */
     if (plen >= 2 && strncmp(dot - 2, "64", 2) == 0) {
@@ -206,7 +206,7 @@ group_plugin_load(const char *plugin_info)
             }
         }
 	if (ac != 0) {
-	    argv = reallocarray(NULL, ac + 1, sizeof(char *));
+	    argv = reallocarray(NULL, (size_t)(ac + 1), sizeof(char *));
 	    if (argv == NULL) {
 		sudo_warnx(U_("%s: %s"), __func__,
 		    U_("unable to allocate memory"));

plugins/sudoers/iolog.c

@@ -89,7 +89,7 @@ cb_maxseq(const char *file, int line, int column,
     unsigned int value;
     debug_decl(cb_maxseq, SUDOERS_DEBUG_UTIL);
 
-    value = sudo_strtonum(sd_un->str, 0, SESSID_MAX, &errstr);
+    value = (unsigned int)sudo_strtonum(sd_un->str, 0, SESSID_MAX, &errstr);
     if (errstr != NULL) {
         if (errno != ERANGE) {
             sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
@@ -234,7 +234,7 @@ deserialize_stringlist(const char *s)
 	    continue;
 	if ((str = malloc(sizeof(*str))) == NULL)
 	    goto bad;
-	if ((str->str = strndup(cp, (ep - cp))) == NULL) {
+	if ((str->str = strndup(cp, (size_t)(ep - cp))) == NULL) {
 	    free(str);
 	    goto bad;
 	}
@@ -317,8 +317,8 @@ iolog_deserialize_info(struct log_details *details, char * const user_info[],
 	switch (**cur) {
 	case 'c':
 	    if (strncmp(*cur, "cols=", sizeof("cols=") - 1) == 0) {
-		int n = sudo_strtonum(*cur + sizeof("cols=") - 1, 1, INT_MAX,
+		int n = (int)sudo_strtonum(*cur + sizeof("cols=") - 1, 1,
-		    NULL);
+		    INT_MAX, NULL);
 		if (n > 0)
 		    evlog->columns = n;
 		continue;
@@ -342,8 +342,8 @@ iolog_deserialize_info(struct log_details *details, char * const user_info[],
 	    break;
 	case 'l':
 	    if (strncmp(*cur, "lines=", sizeof("lines=") - 1) == 0) {
-		int n = sudo_strtonum(*cur + sizeof("lines=") - 1, 1, INT_MAX,
+		int n = (int)sudo_strtonum(*cur + sizeof("lines=") - 1, 1,
-		    NULL);
+		    INT_MAX, NULL);
 		if (n > 0)
 		    evlog->lines = n;
 		continue;
@@ -1132,7 +1132,7 @@ sudoers_io_change_winsize_local(unsigned int lines, unsigned int cols,
 	*errstr = strerror(EOVERFLOW);
 	goto done;
     }
-    if (iolog_write(&iolog_files[IOFD_TIMING], tbuf, len, errstr) == -1)
+    if (iolog_write(&iolog_files[IOFD_TIMING], tbuf, (size_t)len, errstr) == -1)
 	goto done;
 
     /* Success. */

plugins/sudoers/iolog_path_escapes.c

@@ -55,7 +55,7 @@ fill_seq(char *str, size_t strsize, void *v)
 	sessid[1], sessid[2], sessid[3], sessid[4], sessid[5]);
     if (len < 0)
 	debug_return_size_t(strsize); /* handle non-standard snprintf() */
-    debug_return_size_t(len);
+    debug_return_size_t((size_t)len);
 #endif /* SUDOERS_NO_SEQ */
 }
 
@@ -77,7 +77,7 @@ fill_group(char *str, size_t strsize, void *unused)
 	len = strlcpy(str, grp->gr_name, strsize);
 	sudo_gr_delref(grp);
     } else {
-	len = snprintf(str, strsize, "#%u", (unsigned int)user_gid);
+	len = (size_t)snprintf(str, strsize, "#%u", (unsigned int)user_gid);
     }
     debug_return_size_t(len);
 }
@@ -103,7 +103,8 @@ fill_runas_group(char *str, size_t strsize, void *unused)
 	    len = strlcpy(str, grp->gr_name, strsize);
 	    sudo_gr_delref(grp);
 	} else {
-	    len = snprintf(str, strsize, "#%u", (unsigned int)runas_pw->pw_gid);
+	    len = (size_t)snprintf(str, strsize, "#%u",
+		(unsigned int)runas_pw->pw_gid);
 	}
     }
     debug_return_size_t(len);

plugins/sudoers/ldap.c

@@ -163,7 +163,7 @@ sudo_ldap_join_uri(struct ldap_config_str_list *uri_list)
 	char *cp = buf;
 
 	STAILQ_FOREACH(uri, uri_list, entries) {
-	    cp += strlcpy(cp, uri->val, len - (cp - buf));
+	    cp += strlcpy(cp, uri->val, len - (size_t)(cp - buf));
 	    *cp++ = ' ';
 	}
 	cp[-1] = '\0';
@@ -484,7 +484,8 @@ sudo_ldap_timefilter(char *buffer, size_t buffersize)
     bool ret = false;
     struct tm gmt;
     time_t now;
-    int len;
+    size_t tblen;
+    int buflen;
     debug_decl(sudo_ldap_timefilter, SUDOERS_DEBUG_LDAP);
 
     /* Make sure we have a formatted timestamp for __now__. */
@@ -496,16 +497,16 @@ sudo_ldap_timefilter(char *buffer, size_t buffersize)
 
     /* Format the timestamp according to the RFC. */
     timebuffer[sizeof(timebuffer) - 1] = '\0';
-    len = strftime(timebuffer, sizeof(timebuffer), "%Y%m%d%H%M%S.0Z", &gmt);
+    tblen = strftime(timebuffer, sizeof(timebuffer), "%Y%m%d%H%M%S.0Z", &gmt);
-    if (len == 0 || timebuffer[sizeof(timebuffer) - 1] != '\0') {
+    if (tblen == 0 || timebuffer[sizeof(timebuffer) - 1] != '\0') {
 	sudo_warnx("%s", U_("unable to format timestamp"));
 	goto done;
     }
 
     /* Build filter. */
-    len = snprintf(buffer, buffersize, "(&(|(!(sudoNotAfter=*))(sudoNotAfter>=%s))(|(!(sudoNotBefore=*))(sudoNotBefore<=%s)))",
+    buflen = snprintf(buffer, buffersize, "(&(|(!(sudoNotAfter=*))(sudoNotAfter>=%s))(|(!(sudoNotBefore=*))(sudoNotBefore<=%s)))",
 	timebuffer, timebuffer);
-    if (len < 0 || (size_t)len >= buffersize) {
+    if (buflen < 0 || (size_t)buflen >= buffersize) {
 	sudo_warnx(U_("internal error, %s overflow"), __func__);
 	errno = EOVERFLOW;
 	goto done;
@@ -1236,7 +1237,7 @@ sudo_set_krb5_ccache_name(const char *name, const char **old_name)
      * gss_krb5_ccache_name().
      */
     if (sudo_gss_krb5_ccache_name != NULL) {
-	ret = sudo_gss_krb5_ccache_name(&junk, name, old_name);
+	ret = (int)sudo_gss_krb5_ccache_name(&junk, name, old_name);
     } else {
 	/* No gss_krb5_ccache_name(), fall back on KRB5CCNAME. */
 	if (old_name != NULL)
@@ -1286,7 +1287,8 @@ sudo_krb5_copy_cc_file(const char *old_ccname)
 		    while ((nread = read(ofd, buf, sizeof(buf))) > 0) {
 			ssize_t off = 0;
 			do {
-			    nwritten = write(nfd, buf + off, nread - off);
+			    nwritten = write(nfd, buf + off,
+				(size_t)(nread - off));
 			    if (nwritten == -1) {
 				sudo_warn("error writing to %s", new_ccname);
 				goto write_error;
@@ -1773,7 +1775,7 @@ sudo_ldap_result_add_entry(struct ldap_result *lres, LDAPMessage *entry)
      * of 100 entries to save on allocation time.
      */
     if (++lres->nentries > lres->allocated_entries) {
-	int allocated_entries = lres->allocated_entries + ALLOCATION_INCREMENT;
+	size_t allocated_entries = lres->allocated_entries + ALLOCATION_INCREMENT;
 	struct ldap_entry_wrapper *entries = reallocarray(lres->entries,
 	    allocated_entries, sizeof(lres->entries[0]));
 	if (entries == NULL)

plugins/sudoers/ldap_conf.c

@@ -425,7 +425,7 @@ sudo_ldap_parse_keyword(const char *keyword, const char *value,
 		*(int *)(cur->valp) = sudo_strtobool(value) == true;
 		break;
 	    case CONF_INT:
-		*(int *)(cur->valp) = sudo_strtonum(value, INT_MIN, INT_MAX,
+		*(int *)(cur->valp) = (int)sudo_strtonum(value, INT_MIN, INT_MAX,
 		    &errstr);
 		if (errstr != NULL) {
 		    sudo_warnx(U_("%s: %s: %s: %s"),

plugins/sudoers/ldap_innetgr.c

@@ -112,19 +112,19 @@ sudo_ldap_match_netgroup(const char *triple, const char *host,
     /* Parse host. */
     cp = triple + 1;
     ep = strchr(cp, ',');
-    if (ep == NULL || !sudo_ldap_netgroup_match_str(host, cp, ep - cp, true))
+    if (ep == NULL || !sudo_ldap_netgroup_match_str(host, cp, (size_t)(ep - cp), true))
 	debug_return_int(0);
 
     /* Parse user. */
     cp = ep + 1;
     ep = strchr(cp, ',');
-    if (ep == NULL || !sudo_ldap_netgroup_match_str(user, cp, ep - cp, def_case_insensitive_user))
+    if (ep == NULL || !sudo_ldap_netgroup_match_str(user, cp, (size_t)(ep - cp), def_case_insensitive_user))
 	debug_return_int(0);
 
     /* Parse domain. */
     cp = ep + 1;
     ep = strchr(cp, ')');
-    if (ep == NULL || !sudo_ldap_netgroup_match_str(domain, cp, ep - cp, true))
+    if (ep == NULL || !sudo_ldap_netgroup_match_str(domain, cp, (size_t)(ep - cp), true))
 	debug_return_int(0);
 
     debug_return_int(1);

plugins/sudoers/ldap_util.c

@@ -253,7 +253,7 @@ sudo_ldap_extract_digest(const char *cmnd, char **endptr,
 {
     const char *ep, *cp = cmnd;
     struct command_digest *digest;
-    int digest_type = SUDO_DIGEST_INVALID;
+    unsigned int digest_type = SUDO_DIGEST_INVALID;
     debug_decl(sudo_ldap_extract_digest, SUDOERS_DEBUG_LDAP);
 
     /*
@@ -671,7 +671,7 @@ sudo_ldap_value_cat(char *dst, const char *src, size_t size)
     /* Find the end of dst and adjust bytes left but don't go past end */
     while (n-- != 0 && *d != '\0')
 	d++;
-    dlen = d - dst;
+    dlen = (size_t)(d - dst);
     n = size - dlen;
 
     if (n == 0)
@@ -723,7 +723,7 @@ done:
     *d = '\0';
     while (*s != '\0')
 	s++;
-    return dlen + (s - src);	/* count does not include NUL */
+    return dlen + (size_t)(s - src);	/* count does not include NUL */
 }
 
 /*

plugins/sudoers/linux_audit.c

@@ -87,8 +87,9 @@ linux_audit_command(char *const argv[], int result)
 	goto done;
     }
     for (av = argv, cp = command; *av != NULL; av++) {
-	n = strlcpy(cp, *av, size - (cp - command));
+	const size_t rem = size - (size_t)(cp - command);
-	if (n >= size - (cp - command)) {
+	n = strlcpy(cp, *av, rem);
+	if (n >= rem) {
 	    sudo_warnx(U_("internal error, %s overflow"), __func__);
 	    goto done;
 	}

plugins/sudoers/log_client.c

@@ -959,8 +959,8 @@ fmt_accept_message(struct client_closure *closure, struct eventlog *evlog)
 	sudo_warn("%s", U_("unable to get time of day"));
 	debug_return_bool(false);
     }
-    ts.tv_sec = now.tv_sec;
+    ts.tv_sec = (int64_t)now.tv_sec;
-    ts.tv_nsec = now.tv_nsec;
+    ts.tv_nsec = (int32_t)now.tv_nsec;
     accept_msg.submit_time = &ts;
 
     /* Client will send IoBuffer messages. */
@@ -1008,8 +1008,8 @@ fmt_reject_message(struct client_closure *closure, struct eventlog *evlog)
 	sudo_warn("%s", U_("unable to get time of day"));
 	debug_return_bool(false);
     }
-    ts.tv_sec = now.tv_sec;
+    ts.tv_sec = (int64_t)now.tv_sec;
-    ts.tv_nsec = now.tv_nsec;
+    ts.tv_nsec = (int32_t)now.tv_nsec;
     reject_msg.submit_time = &ts;
 
     /* Reason for rejecting the request. */
@@ -1057,8 +1057,8 @@ fmt_alert_message(struct client_closure *closure, struct eventlog *evlog)
 	sudo_warn("%s", U_("unable to get time of day"));
 	debug_return_bool(false);
     }
-    ts.tv_sec = now.tv_sec;
+    ts.tv_sec = (int64_t)now.tv_sec;
-    ts.tv_nsec = now.tv_nsec;
+    ts.tv_nsec = (int32_t)now.tv_nsec;
     alert_msg.alert_time = &ts;
 
     /* Reason for the alert. */
@@ -1184,8 +1184,8 @@ fmt_exit_message(struct client_closure *closure, int exit_status, int error)
     }
     sudo_timespecsub(&run_time, &closure->start_time, &run_time);
 
-    ts.tv_sec = run_time.tv_sec;
+    ts.tv_sec = (int64_t)run_time.tv_sec;
-    ts.tv_nsec = run_time.tv_nsec;
+    ts.tv_nsec = (int32_t)run_time.tv_nsec;
     exit_msg.run_time = &ts;
 
     if (error != 0) {
@@ -1256,8 +1256,8 @@ fmt_io_buf(struct client_closure *closure, int type, const char *buf,
     debug_decl(fmt_io_buf, SUDOERS_DEBUG_UTIL);
 
     /* Fill in IoBuffer. */
-    ts.tv_sec = delay->tv_sec;
+    ts.tv_sec = (int64_t)delay->tv_sec;
-    ts.tv_nsec = delay->tv_nsec;
+    ts.tv_nsec = (int32_t)delay->tv_nsec;
     iobuf_msg.delay = &ts;
     iobuf_msg.data.data = (void *)buf;
     iobuf_msg.data.len = len;
@@ -1294,11 +1294,11 @@ fmt_winsize(struct client_closure *closure, unsigned int lines,
     debug_decl(fmt_winsize, SUDOERS_DEBUG_UTIL);
 
     /* Fill in ChangeWindowSize message. */
-    ts.tv_sec = delay->tv_sec;
+    ts.tv_sec = (int64_t)delay->tv_sec;
-    ts.tv_nsec = delay->tv_nsec;
+    ts.tv_nsec = (int32_t)delay->tv_nsec;
     winsize_msg.delay = &ts;
-    winsize_msg.rows = lines;
+    winsize_msg.rows = (int32_t)lines;
-    winsize_msg.cols = cols;
+    winsize_msg.cols = (int32_t)cols;
 
     sudo_debug_printf(SUDO_DEBUG_INFO, "%s: sending ChangeWindowSize, %dx%d",
 	__func__, winsize_msg.rows, winsize_msg.cols);
@@ -1330,8 +1330,8 @@ fmt_suspend(struct client_closure *closure, const char *signame, struct timespec
     debug_decl(fmt_suspend, SUDOERS_DEBUG_UTIL);
 
     /* Fill in CommandSuspend message. */
-    ts.tv_sec = delay->tv_sec;
+    ts.tv_sec = (int64_t)delay->tv_sec;
-    ts.tv_nsec = delay->tv_nsec;
+    ts.tv_nsec = (int32_t)delay->tv_nsec;
     suspend_msg.delay = &ts;
     suspend_msg.signal = (char *)signame;
 
@@ -1779,7 +1779,7 @@ server_msg_cb(int fd, int what, void *v)
     default:
 	break;
     }
-    buf->len += nread;
+    buf->len += (size_t)nread;
 
     while (buf->len - buf->off >= sizeof(msg_len)) {
 	/* Read wire message size (uint32_t in network byte order). */
@@ -1905,7 +1905,7 @@ client_msg_cb(int fd, int what, void *v)
 	sudo_warn("send");
 	goto bad;
     }
-    buf->off += nwritten;
+    buf->off += (size_t)nwritten;
 
     if (buf->off == buf->len) {
 	/* sent entire message, move buf to free list */

plugins/sudoers/logging.c

@@ -394,7 +394,7 @@ fmt_authfail_message(unsigned int tries)
 	debug_return_ptr(ret);
     }
 
-    len = snprintf(numbuf, sizeof(numbuf), "%u", tries);
+    len = (size_t)snprintf(numbuf, sizeof(numbuf), "%u", tries);
     if (len >= sizeof(numbuf))
 	goto overflow;
 
@@ -436,7 +436,7 @@ fmt_authfail_message(unsigned int tries)
 		src++;
 		break;
 	    case 'd':
-		len = strlcpy(dst, numbuf, dst_end - dst);
+		len = strlcpy(dst, numbuf, (size_t)(dst_end - dst));
 		if (len >= (size_t)(dst_end - dst))
 		    goto overflow;
 		dst += len;

plugins/sudoers/match_addr.c

@@ -127,7 +127,7 @@ addr_matches_if_netmask(const char *n, const char *m)
 		debug_return_bool(false);
 	    }
 	} else {
-	    i = sudo_strtonum(m, 1, 32, &errstr);
+	    i = (size_t)sudo_strtonum(m, 1, 32, &errstr);
 	    if (errstr != NULL) {
 		sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
 		    "IPv4 netmask %s: %s", m, errstr);
@@ -140,7 +140,7 @@ addr_matches_if_netmask(const char *n, const char *m)
 #ifdef HAVE_STRUCT_IN6_ADDR
     else {
 	if (inet_pton(AF_INET6, m, &mask.ip6) != 1) {
-	    j = sudo_strtonum(m, 1, 128, &errstr);
+	    j = (size_t)sudo_strtonum(m, 1, 128, &errstr);
 	    if (errstr != NULL) {
 		sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
 		    "IPv6 netmask %s: %s", m, errstr);

plugins/sudoers/match_command.c

@@ -674,7 +674,7 @@ command_matches_normal(const char *sudoers_cmnd, const char *sudoers_args,
 	const char *slash = strrchr(sudoers_cmnd, '/');
 	if (slash != NULL) {
 	    char sudoers_cmnd_dir[PATH_MAX], *resolved;
-	    const size_t len = slash - sudoers_cmnd;
+	    const size_t len = (size_t)(slash - sudoers_cmnd);
 	    if (len >= sizeof(sudoers_cmnd_dir))
 		goto bad;
 	    if (len != 0)

plugins/sudoers/parse.h

@@ -275,7 +275,7 @@ struct sudoers_comment {
  */
 struct alias {
     char *name;				/* alias name */
-    unsigned short type;		/* {USER,HOST,RUNAS,CMND}ALIAS */
+    short type;				/* {USER,HOST,RUNAS,CMND}ALIAS */
     short used;				/* "used" flag for cycle detection */
     int line;				/* line number of alias entry */
     int column;				/* column number of alias entry */
@@ -292,9 +292,8 @@ struct defaults {
     char *val;				/* variable value */
     struct defaults_binding *binding;	/* user/host/runas binding */
     char *file;				/* file Defaults entry was in */
-    short type;				/* DEFAULTS{,_USER,_RUNAS,_HOST} */
+    int type;				/* DEFAULTS{,_USER,_RUNAS,_HOST} */
-    char op;				/* true, false, '+', '-' */
+    int op;				/* true, false, '+', '-' */
-    char error;				/* parse error flag */
     int line;				/* line number of Defaults entry */
     int column;				/* column number of Defaults entry */
 };
@@ -390,10 +389,10 @@ SLIST_HEAD(parser_leak_list, parser_leak_entry);
 struct rbtree *alloc_aliases(void);
 void free_aliases(struct rbtree *aliases);
 bool no_aliases(const struct sudoers_parse_tree *parse_tree);
-bool alias_add(struct sudoers_parse_tree *parse_tree, char *name, int type, char *file, int line, int column, struct member *members);
+bool alias_add(struct sudoers_parse_tree *parse_tree, char *name, short type, char *file, int line, int column, struct member *members);
-const char *alias_type_to_string(int alias_type);
+const char *alias_type_to_string(short alias_type);
-struct alias *alias_get(const struct sudoers_parse_tree *parse_tree, const char *name, int type);
+struct alias *alias_get(const struct sudoers_parse_tree *parse_tree, const char *name, short type);
-struct alias *alias_remove(struct sudoers_parse_tree *parse_tree, const char *name, int type);
+struct alias *alias_remove(struct sudoers_parse_tree *parse_tree, const char *name, short type);
 bool alias_find_used(struct sudoers_parse_tree *parse_tree, struct rbtree *used_aliases);
 void alias_apply(struct sudoers_parse_tree *parse_tree, int (*func)(struct sudoers_parse_tree *, struct alias *, void *), void *cookie);
 void alias_free(void *a);
@@ -495,7 +494,7 @@ bool sudoers_parse_ldif(struct sudoers_parse_tree *parse_tree, FILE *fp, const c
 struct sudo_lbuf;
 bool sudoers_format_cmndspec(struct sudo_lbuf *lbuf, const struct sudoers_parse_tree *parse_tree, struct cmndspec *cs, struct cmndspec *prev_cs, struct cmndtag tags, bool expand_aliases);
 bool sudoers_format_default(struct sudo_lbuf *lbuf, struct defaults *d);
-bool sudoers_format_member(struct sudo_lbuf *lbuf, const struct sudoers_parse_tree *parse_tree, struct member *m, const char *separator, int alias_type);
+bool sudoers_format_member(struct sudo_lbuf *lbuf, const struct sudoers_parse_tree *parse_tree, struct member *m, const char *separator, short alias_type);
 bool sudoers_defaults_to_tags(const char *var, const char *val, int op, struct cmndtag *tags);
 bool sudoers_defaults_list_to_tags(struct defaults_list *defs, struct cmndtag *tags);
 

plugins/sudoers/parse_ldif.c

@@ -577,7 +577,7 @@ sudoers_parse_ldif(struct sudoers_parse_tree *parse_tree,
     bool in_role = false;
     size_t linesize = 0;
     char *attr, *name, *line = NULL, *savedline = NULL;
-    ssize_t savedlen = 0;
+    size_t savedlen = 0;
     bool mismatch = false;
     int errors = 0;
     debug_decl(sudoers_parse_ldif, SUDOERS_DEBUG_UTIL);
@@ -647,12 +647,12 @@ sudoers_parse_ldif(struct sudoers_parse_tree *parse_tree,
 	    char *tmp;
 
 	    /* Append to saved line. */
-	    linesize = savedlen + len + 1;
+	    linesize = savedlen + (size_t)len + 1;
 	    if ((tmp = realloc(savedline, linesize)) == NULL) {
 		sudo_fatalx(U_("%s: %s"), __func__,
 		    U_("unable to allocate memory"));
 	    }
-	    memcpy(tmp + savedlen, line, len + 1);
+	    memcpy(tmp + savedlen, line, (size_t)len + 1);
 	    free(line);
 	    line = tmp;
 	    savedline = NULL;
@@ -661,7 +661,7 @@ sudoers_parse_ldif(struct sudoers_parse_tree *parse_tree,
 	/* Check for folded line */
 	if ((ch = getc(fp)) == ' ') {
 	    /* folded line, append to the saved portion. */
-	    savedlen = len;
+	    savedlen = (size_t)len;
 	    savedline = line;
 	    line = NULL;
 	    linesize = 0;

plugins/sudoers/policy.c

@@ -191,7 +191,7 @@ sudoers_policy_deserialize_info(void *v, struct defaults_list *defaults)
 	if (MATCHES(*cur, "closefrom=")) {
 	    errno = 0;
 	    p = *cur + sizeof("closefrom=") - 1;
-	    user_closefrom = sudo_strtonum(p, 3, INT_MAX, &errstr);
+	    user_closefrom = (int)sudo_strtonum(p, 3, INT_MAX, &errstr);
 	    if (user_closefrom == 0) {
 		sudo_warnx(U_("%s: %s"), *cur, U_(errstr));
 		goto bad;
@@ -361,7 +361,7 @@ sudoers_policy_deserialize_info(void *v, struct defaults_list *defaults)
 	if (MATCHES(*cur, "max_groups=")) {
 	    errno = 0;
 	    p = *cur + sizeof("max_groups=") - 1;
-	    sudo_user.max_groups = sudo_strtonum(p, 1, 1024, &errstr);
+	    sudo_user.max_groups = (int)sudo_strtonum(p, 1, 1024, &errstr);
 	    if (sudo_user.max_groups == 0) {
 		sudo_warnx(U_("%s: %s"), *cur, U_(errstr));
 		goto bad;
@@ -473,7 +473,7 @@ sudoers_policy_deserialize_info(void *v, struct defaults_list *defaults)
 	if (MATCHES(*cur, "lines=")) {
 	    errno = 0;
 	    p = *cur + sizeof("lines=") - 1;
-	    sudo_user.lines = sudo_strtonum(p, 1, INT_MAX, &errstr);
+	    sudo_user.lines = (int)sudo_strtonum(p, 1, INT_MAX, &errstr);
 	    if (sudo_user.lines == 0) {
 		sudo_warnx(U_("%s: %s"), *cur, U_(errstr));
 		goto bad;
@@ -483,7 +483,7 @@ sudoers_policy_deserialize_info(void *v, struct defaults_list *defaults)
 	if (MATCHES(*cur, "cols=")) {
 	    errno = 0;
 	    p = *cur + sizeof("cols=") - 1;
-	    sudo_user.cols = sudo_strtonum(p, 1, INT_MAX, &errstr);
+	    sudo_user.cols = (int)sudo_strtonum(p, 1, INT_MAX, &errstr);
 	    if (sudo_user.cols == 0) {
 		sudo_warnx(U_("%s: %s"), *cur, U_(errstr));
 		goto bad;
@@ -803,7 +803,7 @@ sudoers_policy_store_result(bool accepted, char *argv[], char *envp[],
 
 	/* We reserve an extra spot in the list for the effective gid. */
 	glsize = sizeof("runas_groups=") - 1 +
-	    ((gidlist->ngids + 1) * (MAX_UID_T_LEN + 1));
+	    ((size_t)(gidlist->ngids + 1) * (MAX_UID_T_LEN + 1));
 	gid_list = malloc(glsize);
 	if (gid_list == NULL) {
 	    sudo_gidlist_delref(gidlist);
@@ -811,29 +811,32 @@ sudoers_policy_store_result(bool accepted, char *argv[], char *envp[],
 	}
 	memcpy(gid_list, "runas_groups=", sizeof("runas_groups=") - 1);
 	cp = gid_list + sizeof("runas_groups=") - 1;
+	glsize -= (size_t)(cp - gid_list);
 
 	/* On BSD systems the effective gid is the first group in the list. */
 	egid = runas_gr ? (unsigned int)runas_gr->gr_gid :
 	    (unsigned int)runas_pw->pw_gid;
-	len = snprintf(cp, glsize - (cp - gid_list), "%u", (unsigned int)egid);
+	len = snprintf(cp, glsize, "%u", (unsigned int)egid);
-	if (len < 0 || (size_t)len >= glsize - (cp - gid_list)) {
+	if (len < 0 || (size_t)len >= glsize) {
 	    sudo_warnx(U_("internal error, %s overflow"), __func__);
 	    free(gid_list);
 	    sudo_gidlist_delref(gidlist);
 	    goto bad;
 	}
 	cp += len;
+	glsize -= (size_t)len;
 	for (i = 0; i < gidlist->ngids; i++) {
 	    if (gidlist->gids[i] != egid) {
-		len = snprintf(cp, glsize - (cp - gid_list), ",%u",
+		len = snprintf(cp, glsize, ",%u",
-		     (unsigned int) gidlist->gids[i]);
+		     (unsigned int)gidlist->gids[i]);
-		if (len < 0 || (size_t)len >= glsize - (cp - gid_list)) {
+		if (len < 0 || (size_t)len >= glsize) {
 		    sudo_warnx(U_("internal error, %s overflow"), __func__);
 		    free(gid_list);
 		    sudo_gidlist_delref(gidlist);
 		    goto bad;
 		}
 		cp += len;
+		glsize -= (size_t)len;
 	    }
 	}
 	command_info[info_len++] = gid_list;

plugins/sudoers/pwutil.c

@@ -902,7 +902,8 @@ done:
 }
 
 static void
-sudo_debug_group_list(const char *user, char * const *groups, int level)
+sudo_debug_group_list(const char *user, char * const *groups,
+    unsigned int level)
 {
     size_t i, len = 0;
     debug_decl(sudo_debug_group_list, SUDOERS_DEBUG_NSS);
@@ -918,7 +919,8 @@ sudo_debug_group_list(const char *user, char * const *groups, int level)
 	if (groupstr != NULL) {
 	    char *cp = groupstr;
 	    for (i = 0; groups[i] != NULL; i++) {
-		size_t n = snprintf(cp, len, "%s%s", i ? "," : "", groups[i]);
+		size_t n = (size_t)snprintf(cp, len, "%s%s", i ? "," : "",
+		    groups[i]);
 		if (n >= len)
 		    break;
 		cp += n;

plugins/sudoers/pwutil_impl.c

@@ -270,7 +270,7 @@ PREFIX(make_gidlist_item)(const struct passwd *pw, char * const *gidstrs,
 	    ngids = 1;
 	    for (i = 0; gidstrs[i] != NULL; i++)
 		ngids++;
-	    gids = reallocarray(NULL, ngids, sizeof(GETGROUPS_T));
+	    gids = reallocarray(NULL, (size_t)ngids, sizeof(GETGROUPS_T));
 	    if (gids == NULL) {
 		sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
 		    "unable to allocate memory");
@@ -301,7 +301,7 @@ PREFIX(make_gidlist_item)(const struct passwd *pw, char * const *gidstrs,
 	type = ENTRY_TYPE_QUERIED;
 	if (sudo_user.max_groups > 0) {
 	    ngids = sudo_user.max_groups;
-	    gids = reallocarray(NULL, ngids, sizeof(GETGROUPS_T));
+	    gids = reallocarray(NULL, (size_t)ngids, sizeof(GETGROUPS_T));
 	    if (gids == NULL) {
 		sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
 		    "unable to allocate memory");
@@ -328,7 +328,7 @@ PREFIX(make_gidlist_item)(const struct passwd *pw, char * const *gidstrs,
     /* Allocate in one big chunk for easy freeing. */
     nsize = strlen(pw->pw_name) + 1;
     total = sizeof(*glitem) + nsize;
-    total += sizeof(gid_t *) * ngids;
+    total += sizeof(gid_t *) * (size_t)ngids;
 
     if ((glitem = calloc(1, total)) == NULL) {
 	sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
@@ -345,7 +345,7 @@ PREFIX(make_gidlist_item)(const struct passwd *pw, char * const *gidstrs,
     gidlist = &glitem->gidlist;
     cp = (char *)(glitem + 1);
     gidlist->gids = (gid_t *)cp;
-    cp += sizeof(gid_t) * ngids;
+    cp += sizeof(gid_t) * (size_t)ngids;
 
     /* Set key and datum. */
     memcpy(cp, pw->pw_name, nsize);
@@ -390,7 +390,7 @@ PREFIX(make_grlist_item)(const struct passwd *pw, char * const *unused1)
     }
 
 #ifdef _SC_LOGIN_NAME_MAX
-    groupname_len = MAX(sysconf(_SC_LOGIN_NAME_MAX), 32);
+    groupname_len = MAX((size_t)sysconf(_SC_LOGIN_NAME_MAX), 32);
 #else
     groupname_len = MAX(LOGIN_NAME_MAX, 32);
 #endif
@@ -398,8 +398,8 @@ PREFIX(make_grlist_item)(const struct passwd *pw, char * const *unused1)
     /* Allocate in one big chunk for easy freeing. */
     nsize = strlen(pw->pw_name) + 1;
     total = sizeof(*grlitem) + nsize;
-    total += sizeof(char *) * gidlist->ngids;
+    total += sizeof(char *) * (size_t)gidlist->ngids;
-    total += groupname_len * gidlist->ngids;
+    total += groupname_len * (size_t)gidlist->ngids;
 
 again:
     if ((grlitem = calloc(1, total)) == NULL) {
@@ -417,7 +417,7 @@ again:
     grlist = &grlitem->grlist;
     cp = (char *)(grlitem + 1);
     grlist->groups = (char **)cp;
-    cp += sizeof(char *) * gidlist->ngids;
+    cp += sizeof(char *) * (size_t)gidlist->ngids;
 
     /* Set key and datum. */
     memcpy(cp, pw->pw_name, nsize);
@@ -437,7 +437,7 @@ again:
     for (i = 0; i < gidlist->ngids; i++) {
 	if ((grp = sudo_getgrgid(gidlist->gids[i])) != NULL) {
 	    len = strlen(grp->gr_name) + 1;
-	    if (cp - (char *)grlitem + len > total) {
+	    if ((size_t)(cp - (char *)grlitem) + len > total) {
 		total += len + groupname_len;
 		free(grlitem);
 		sudo_gr_delref(grp);
@@ -449,7 +449,7 @@ again:
 	    sudo_gr_delref(grp);
 	}
     }
-    grlist->ngroups = ngroups;
+    grlist->ngroups = (int)ngroups;
     sudo_gidlist_delref(gidlist);
 
 #ifdef HAVE_SETAUTHDB

plugins/sudoers/regress/fuzz/fuzz_policy.c

@@ -435,11 +435,11 @@ LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
 		break;
 	    case PASS_CHECK_LOG_LOCAL: {
 		/* sudo command w/ local I/O logging (MODE_RUN) */
-		sudoers_policy.check_policy(argv.len, argv.entries,
+		sudoers_policy.check_policy((int)argv.len, argv.entries,
 		    env_add.entries, &command_info, &argv_out, &user_env_out,
 		    &errstr);
 		/* call check_policy() again to check for leaks. */
-		sudoers_policy.check_policy(argv.len, argv.entries,
+		sudoers_policy.check_policy((int)argv.len, argv.entries,
 		    env_add.entries, &command_info, &argv_out, &user_env_out,
 		    &errstr);
 		/* sudo_auth_begin_session() is stubbed out below. */
@@ -448,11 +448,11 @@ LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
 	    }
 	    case PASS_CHECK_LOG_REMOTE:
 		/* sudo command w/ remote I/O logging (MODE_RUN) */
-		sudoers_policy.check_policy(argv.len, argv.entries,
+		sudoers_policy.check_policy((int)argv.len, argv.entries,
 		    env_add.entries, &command_info, &argv_out, &user_env_out,
 		    &errstr);
 		/* call check_policy() again to check for leaks. */
-		sudoers_policy.check_policy(argv.len, argv.entries,
+		sudoers_policy.check_policy((int)argv.len, argv.entries,
 		    env_add.entries, &command_info, &argv_out, &user_env_out,
 		    &errstr);
 		/* sudo_auth_begin_session() is stubbed out below. */
@@ -460,7 +460,7 @@ LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
 		break;
 	    case PASS_CHECK_NOT_FOUND:
 		/* sudo command (not found) */
-		sudoers_policy.check_policy(argv.len, argv.entries,
+		sudoers_policy.check_policy((int)argv.len, argv.entries,
 		    env_add.entries, &command_info, &argv_out, &user_env_out,
 		    &errstr);
 		/* sudo_auth_begin_session() is stubbed out below. */
@@ -468,11 +468,11 @@ LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
 		break;
 	    case PASS_CHECK_NOT_FOUND_DOT:
 		/* sudo command (found but in cwd) */
-		sudoers_policy.check_policy(argv.len, argv.entries,
+		sudoers_policy.check_policy((int)argv.len, argv.entries,
 		    env_add.entries, &command_info, &argv_out, &user_env_out,
 		    &errstr);
 		/* call check_policy() again to check for leaks. */
-		sudoers_policy.check_policy(argv.len, argv.entries,
+		sudoers_policy.check_policy((int)argv.len, argv.entries,
 		    env_add.entries, &command_info, &argv_out, &user_env_out,
 		    &errstr);
 		/* sudo_auth_begin_session() is stubbed out below. */
@@ -492,10 +492,10 @@ LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
 		break;
 	    case PASS_LIST_CHECK:
 		/* sudo -l command (MODE_CHECK) */
-		sudoers_policy.list(argv.len, argv.entries, false, NULL,
+		sudoers_policy.list((int)argv.len, argv.entries, false, NULL,
 		    &errstr);
 		/* call list() again to check for leaks. */
-		sudoers_policy.list(argv.len, argv.entries, false, NULL,
+		sudoers_policy.list((int)argv.len, argv.entries, false, NULL,
 		    &errstr);
 		break;
 	    case PASS_VALIDATE:

plugins/sudoers/regress/parser/check_addr.c

@@ -52,7 +52,7 @@ check_addr(char *input)
     cp = input + len;
     while (isspace((unsigned char)*cp))
 	cp++;
-    expected = sudo_strtonum(cp, 0, 1, &errstr);
+    expected = (int)sudo_strtonum(cp, 0, 1, &errstr);
     if (errstr != NULL)
 	sudo_fatalx("expecting 0 or 1, got %s", cp);
     input[len] = '\0';

plugins/sudoers/regress/parser/check_fill.c

@@ -48,8 +48,8 @@ YYSTYPE sudoerslval;
 struct fill_test {
     const char *input;
     const char *output;
-    int len;
+    size_t len;
-    int addspace;
+    bool addspace;
 };
 
 /*
@@ -82,16 +82,16 @@ static struct fill_test cmd_data[] = {
  * Arguments get appended.
  */
 static struct fill_test args_data[] = {
-    { "/", "/", 0, 0 },
+    { "/", "/", 0, false },
-    { "-type", "/ -type", 0, 1 },
+    { "-type", "/ -type", 0, true },
-    { "f", "/ -type f", 0, 1 },
+    { "f", "/ -type f", 0, true },
-    { "-exec", "/ -type f -exec", 0, 1 },
+    { "-exec", "/ -type f -exec", 0, true },
-    { "ls", "/ -type f -exec ls", 0, 1 },
+    { "ls", "/ -type f -exec ls", 0, true },
-    { "{}", "/ -type f -exec ls {}", 0, 1 }
+    { "{}", "/ -type f -exec ls {}", 0, true }
 };
 
 static int
-check_fill(const char *input, int len, int addspace, const char *expect, char **resultp)
+check_fill(const char *input, size_t len, bool addspace, const char *expect, char **resultp)
 {
     if (sudoerslval.string != NULL) {
 	free(sudoerslval.string);
@@ -104,7 +104,7 @@ check_fill(const char *input, int len, int addspace, const char *expect, char **
 }
 
 static int
-check_fill_cmnd(const char *input, int len, int addspace, const char *expect, char **resultp)
+check_fill_cmnd(const char *input, size_t len, bool addspace, const char *expect, char **resultp)
 {
     if (sudoerslval.command.cmnd != NULL) {
 	free(sudoerslval.command.cmnd);
@@ -117,7 +117,7 @@ check_fill_cmnd(const char *input, int len, int addspace, const char *expect, ch
 }
 
 static int
-check_fill_args(const char *input, int len, int addspace, const char *expect, char **resultp)
+check_fill_args(const char *input, size_t len, bool addspace, const char *expect, char **resultp)
 {
     /* Must not free old sudoerslval.command.args as gets appended to. */
     if (!fill_args(input, len, addspace))
@@ -127,11 +127,12 @@ check_fill_args(const char *input, int len, int addspace, const char *expect, ch
 }
 
 static int
-do_tests(int (*checker)(const char *, int, int, const char *, char **),
+do_tests(int (*checker)(const char *, size_t, bool, const char *, char **),
     struct fill_test *data, size_t ntests)
 {
-    int len, errors = 0;
+    int errors = 0;
     unsigned int i;
+    size_t len;
     char *result;
 
     for (i = 0; i < ntests; i++) {

plugins/sudoers/set_perms.c

@@ -42,6 +42,10 @@
 #include "sudoers.h"
 #include "check.h"
 
+/* No change when passed to setresuid(), etc. */
+#define NO_UID	(uid_t)-1
+#define NO_GID	(gid_t)-1
+
 /*
  * Prototypes
  */
@@ -72,9 +76,9 @@ static struct perm_state perm_stack[PERM_STACK_MAX];
 static int perm_stack_depth = 0;
 
 #undef ID
-#define ID(x) (state->x == ostate->x ? (uid_t)-1 : state->x)
+#define ID(x) (state->x == ostate->x ? NO_UID : state->x)
 #undef OID
-#define OID(x) (ostate->x == state->x ? (uid_t)-1 : ostate->x)
+#define OID(x) (ostate->x == state->x ? NO_UID : ostate->x)
 
 bool
 rewind_perms(void)
@@ -396,7 +400,7 @@ restore_perms(void)
 
     /* XXX - more cases here where euid != ruid */
     if (OID(euid) == ROOT_UID) {
-	if (setresuid(-1, ROOT_UID, -1)) {
+	if (setresuid(NO_UID, ROOT_UID, NO_UID)) {
 	    sudo_warn("setresuid() [%d, %d, %d] -> [%d, %d, %d]",
 		(int)state->ruid, (int)state->euid, (int)state->suid,
 		-1, ROOT_UID, -1);
@@ -742,7 +746,7 @@ restore_perms(void)
 	__func__, (int)state->rgid, (int)state->egid, (int)state->sgid,
 	(int)ostate->rgid, (int)ostate->egid, (int)ostate->sgid);
 
-    if (OID(ruid) != (uid_t)-1 || OID(euid) != (uid_t)-1 || OID(suid) != (uid_t)-1) {
+    if (OID(ruid) != NO_UID || OID(euid) != NO_UID || OID(suid) != NO_UID) {
 	if (OID(euid) == ROOT_UID) {
 	    sudo_debug_printf(SUDO_DEBUG_INFO, "%s: setuidx(ID_EFFECTIVE, %d)",
 		__func__, ROOT_UID);
@@ -763,7 +767,7 @@ restore_perms(void)
 		    (int)OID(ruid), (int)OID(euid), (int)OID(suid));
 		goto bad;
 	    }
-	} else if (OID(ruid) == (uid_t)-1 && OID(suid) == (uid_t)-1) {
+	} else if (OID(ruid) == NO_UID && OID(suid) == NO_UID) {
 	    /* May have already changed euid to ROOT_UID above. */
 	    if (OID(euid) != ROOT_UID) {
 		sudo_debug_printf(SUDO_DEBUG_INFO,
@@ -775,7 +779,7 @@ restore_perms(void)
 		    goto bad;
 		}
 	    }
-	} else if (OID(suid) == (uid_t)-1) {
+	} else if (OID(suid) == NO_UID) {
 	    /* Cannot set the real uid alone. */
 	    sudo_debug_printf(SUDO_DEBUG_INFO,
 		"%s: setuidx(ID_REAL|ID_EFFECTIVE, %d)", __func__, OID(ruid));
@@ -796,7 +800,7 @@ restore_perms(void)
 	    }
 	}
     }
-    if (OID(rgid) != (gid_t)-1 || OID(egid) != (gid_t)-1 || OID(sgid) != (gid_t)-1) {
+    if (OID(rgid) != NO_GID || OID(egid) != NO_GID || OID(sgid) != NO_GID) {
 	if (OID(rgid) == OID(egid) && OID(egid) == OID(sgid)) {
 	    sudo_debug_printf(SUDO_DEBUG_INFO,
 		"%s: setgidx(ID_EFFECTIVE|ID_REAL|ID_SAVED, %d)",
@@ -807,7 +811,7 @@ restore_perms(void)
 		    (int)OID(rgid), (int)OID(egid), (int)OID(sgid));
 		goto bad;
 	    }
-	} else if (OID(rgid) == (gid_t)-1 && OID(sgid) == (gid_t)-1) {
+	} else if (OID(rgid) == NO_GID && OID(sgid) == NO_GID) {
 	    sudo_debug_printf(SUDO_DEBUG_INFO, "%s: setgidx(ID_EFFECTIVE, %d)",
 		__func__, (int)OID(egid));
 	    if (setgidx(ID_EFFECTIVE, OID(egid))) {
@@ -816,7 +820,7 @@ restore_perms(void)
 		    (int)OID(rgid), (int)OID(egid), (int)OID(sgid));
 		goto bad;
 	    }
-	} else if (OID(sgid) == (gid_t)-1) {
+	} else if (OID(sgid) == NO_GID) {
 	    sudo_debug_printf(SUDO_DEBUG_INFO,
 		"%s: setgidx(ID_EFFECTIVE|ID_REAL, %d)", __func__, OID(rgid));
 	    if (setgidx(ID_REAL|ID_EFFECTIVE, OID(rgid))) {
@@ -904,14 +908,14 @@ set_perms(int perm)
 	 * setreuid(0, 0) may fail on some systems if euid is not already 0.
 	 */
 	if (ostate->euid != ROOT_UID) {
-	    if (setreuid(-1, ROOT_UID)) {
+	    if (setreuid(NO_UID, ROOT_UID)) {
 		(void)snprintf(errbuf, sizeof(errbuf),
 		    "PERM_ROOT: setreuid(-1, %d)", ROOT_UID);
 		goto bad;
 	    }
 	}
 	if (ostate->ruid != ROOT_UID) {
-	    if (setreuid(ROOT_UID, -1)) {
+	    if (setreuid(ROOT_UID, NO_UID)) {
 		(void)snprintf(errbuf, sizeof(errbuf),
 		    "PERM_ROOT: setreuid(%d, -1)", ROOT_UID);
 		goto bad;
@@ -1121,7 +1125,7 @@ restore_perms(void)
     if (OID(euid) == ROOT_UID) {
 	/* setuid() may not set the saved ID unless the euid is ROOT_UID */
 	if (ID(euid) != ROOT_UID) {
-	    if (setreuid(-1, ROOT_UID) != 0) {
+	    if (setreuid(NO_UID, ROOT_UID) != 0) {
 		sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
 		    "setreuid() [%d, %d] -> [-1, %d)", (int)state->ruid,
 		    (int)state->euid, ROOT_UID);
@@ -1441,7 +1445,7 @@ restore_perms(void)
 	goto bad;
     }
 
-    if (OID(egid) != (gid_t)-1 && setegid(ostate->egid)) {
+    if (OID(egid) != NO_GID && setegid(ostate->egid)) {
 	sudo_warn("setegid(%d)", (int)ostate->egid);
 	goto bad;
     }
@@ -1451,7 +1455,7 @@ restore_perms(void)
 	    goto bad;
 	}
     }
-    if (OID(euid) != (uid_t)-1 && seteuid(ostate->euid)) {
+    if (OID(euid) != NO_UID && seteuid(ostate->euid)) {
 	sudo_warn("seteuid(%d)", (int)ostate->euid);
 	goto bad;
     }
@@ -1593,7 +1597,7 @@ restore_perms(void)
     sudo_debug_printf(SUDO_DEBUG_INFO, "%s: gid: [%d] -> [%d]",
 	__func__, (int)state->rgid, (int)ostate->rgid);
 
-    if (OID(rgid) != (gid_t)-1 && setgid(ostate->rgid)) {
+    if (OID(rgid) != NO_GID && setgid(ostate->rgid)) {
 	sudo_warn("setgid(%d)", (int)ostate->rgid);
 	goto bad;
     }
@@ -1604,7 +1608,7 @@ restore_perms(void)
 	}
     }
     sudo_gidlist_delref(state->gidlist);
-    if (OID(ruid) != (uid_t)-1 && setuid(ostate->ruid)) {
+    if (OID(ruid) != NO_UID && setuid(ostate->ruid)) {
 	sudo_warn("setuid(%d)", (int)ostate->ruid);
 	goto bad;
     }

plugins/sudoers/sssd.c

@@ -489,7 +489,8 @@ sudo_sss_result_get(const struct sudo_nss *nss, struct passwd *pw)
 {
     struct sudo_sss_handle *handle = nss->handle;
     struct sss_sudo_result *sss_result = NULL;
-    uint32_t sss_error = 0, rc;
+    uint32_t sss_error = 0;
+    int rc;
     debug_decl(sudo_sss_result_get, SUDOERS_DEBUG_SSSD);
 
     sudo_debug_printf(SUDO_DEBUG_DIAG, "  username=%s", pw->pw_name);

plugins/sudoers/starttime.c

@@ -129,8 +129,8 @@ get_starttime(pid_t pid, struct timespec *starttime)
 	TIMEVAL_TO_TIMESPEC(&ki_proc->kp_proc.p_starttime, starttime);
 #else
 	/* NetBSD and OpenBSD */
-	starttime->tv_sec = ki_proc->p_ustart_sec;
+	starttime->tv_sec = (time_t)ki_proc->p_ustart_sec;
-	starttime->tv_nsec = ki_proc->p_ustart_usec * 1000;
+	starttime->tv_nsec = (long)(ki_proc->p_ustart_usec * 1000);
 #endif
 	sudo_debug_printf(SUDO_DEBUG_INFO,
 	    "%s: start time for %d: { %lld, %ld }", __func__,
@@ -201,7 +201,7 @@ get_starttime(pid_t pid, struct timespec *starttime)
     (void)snprintf(path, sizeof(path), "/proc/%u/stat", (unsigned int)pid);
     if ((fd = open(path, O_RDONLY | O_NOFOLLOW)) != -1) {
 	cp = buf;
-	while ((nread = read(fd, cp, buf + sizeof(buf) - cp)) != 0) {
+	while ((nread = read(fd, cp, sizeof(buf) - (size_t)(cp - buf))) != 0) {
 	    if (nread == -1) {
 		if (errno == EAGAIN || errno == EINTR)
 		    continue;
@@ -211,7 +211,7 @@ get_starttime(pid_t pid, struct timespec *starttime)
 	    if (cp >= buf + sizeof(buf))
 		break;
 	}
-	if (nread == 0 && memchr(buf, '\0', cp - buf) == NULL) {
+	if (nread == 0 && memchr(buf, '\0', (size_t)(cp - buf)) == NULL) {
 	    /*
 	     * Field 22 is the start time (%ull).
 	     * Since the process name at field 2 "(comm)" may include
@@ -245,9 +245,9 @@ get_starttime(pid_t pid, struct timespec *starttime)
 				goto done;
 
 			    /* Convert from ticks to timespec */
-			    starttime->tv_sec = ullval / tps;
+			    starttime->tv_sec = (time_t)(ullval / tps);
 			    starttime->tv_nsec =
-				(ullval % tps) * (1000000000 / tps);
+				(long)(ullval % tps) * (1000000000 / tps);
 			    ret = 0;
 
 			    sudo_debug_printf(SUDO_DEBUG_INFO,
@@ -290,7 +290,7 @@ get_starttime(pid_t pid, struct timespec *starttime)
      */
     rc = pstat_getproc(&pst, sizeof(pst), 0, pid);
     if (rc != -1 || errno == EOVERFLOW) {
-	starttime->tv_sec = pst.pst_start;
+	starttime->tv_sec = (time_t)pst.pst_start;
 	starttime->tv_nsec = 0;
 
 	sudo_debug_printf(SUDO_DEBUG_INFO,
@@ -319,8 +319,8 @@ get_starttime(pid_t pid, struct timespec *starttime)
 	count = sizeof(info) / sizeof(integer_t);
 	error = task_info(target, TASK_BASIC_INFO, (task_info_t)&info, &count);
 	if (error == KERN_SUCCESS) {
-	    starttime->tv_sec = info.creation_time.seconds;
+	    starttime->tv_sec = (time_t)info.creation_time.seconds;
-	    starttime->tv_nsec = info.creation_time.microseconds * 1000;
+	    starttime->tv_nsec = (long)(info.creation_time.microseconds * 1000);
 	    debug_return_int(0);
 	}
     }

plugins/sudoers/sudoers.c

@@ -623,13 +623,13 @@ sudoers_check_cmnd(int argc, char * const argv[], char *env_add[],
 	sudoers_gc_remove(GC_PTR, NewArgv);
 	free(NewArgv);
     }
-    NewArgv = reallocarray(NULL, argc + 2, sizeof(char *));
+    NewArgv = reallocarray(NULL, (size_t)argc + 2, sizeof(char *));
     if (NewArgv == NULL) {
 	sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
 	goto error;
     }
     sudoers_gc_add(GC_PTR, NewArgv);
-    memcpy(NewArgv, argv, argc * sizeof(char *));
+    memcpy(NewArgv, argv, (size_t)argc * sizeof(char *));
     NewArgc = argc;
     NewArgv[NewArgc] = NULL;
     if (ISSET(sudo_mode, MODE_LOGIN_SHELL) && runas_pw != NULL) {
@@ -691,7 +691,7 @@ sudoers_check_cmnd(int argc, char * const argv[], char *env_add[],
 	if (NewArgc > 1 && strcmp(NewArgv[0], "-bash") == 0 &&
 	    strcmp(NewArgv[1], "-c") == 0) {
 	    /* We allocated extra space for the --login above. */
-	    memmove(&NewArgv[2], &NewArgv[1], sizeof(char *) * NewArgc);
+	    memmove(&NewArgv[2], &NewArgv[1], (size_t)NewArgc * sizeof(char *));
 	    NewArgv[1] = (char *)"--login";
 	    NewArgc++;
 	}
@@ -896,7 +896,7 @@ sudoers_list(int argc, char * const argv[], const char *list_user, bool verbose)
 	}
     }
 
-    NewArgv = reallocarray(NULL, argc + 2, sizeof(char *));
+    NewArgv = reallocarray(NULL, (size_t)argc + 2, sizeof(char *));
     if (NewArgv == NULL) {
 	sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
 	goto done;
@@ -904,7 +904,7 @@ sudoers_list(int argc, char * const argv[], const char *list_user, bool verbose)
     sudoers_gc_add(GC_PTR, NewArgv);
     NewArgv[0] = (char *)"list";
     if (argc != 0)
-	memcpy(NewArgv + 1, argv, argc * sizeof(char *));
+	memcpy(NewArgv + 1, argv, (size_t)argc * sizeof(char *));
     NewArgc = argc + 1;
     NewArgv[NewArgc] = NULL;
 
@@ -1720,7 +1720,7 @@ cb_syslog_maxlen(const char *file, int line, int column,
 {
     debug_decl(cb_syslog_maxlen, SUDOERS_DEBUG_PLUGIN);
 
-    eventlog_set_syslog_maxlen(sd_un->ival);
+    eventlog_set_syslog_maxlen((size_t)sd_un->ival);
 
     debug_return_bool(true);
 }
@@ -1731,7 +1731,7 @@ cb_loglinelen(const char *file, int line, int column,
 {
     debug_decl(cb_loglinelen, SUDOERS_DEBUG_PLUGIN);
 
-    eventlog_set_file_maxlen(sd_un->ival);
+    eventlog_set_file_maxlen((size_t)sd_un->ival);
 
     debug_return_bool(true);
 }

plugins/sudoers/sudoreplay.c

@@ -90,9 +90,9 @@ struct replay_closure {
     bool interactive;
     bool suspend_wait;
     struct io_buffer {
-	unsigned int len; /* buffer length (how much produced) */
+	size_t len; /* buffer length (how much produced) */
-	unsigned int off; /* write position (how much already consumed) */
+	size_t off; /* write position (how much already consumed) */
-	unsigned int toread; /* how much remains to be read */
+	size_t toread; /* how much remains to be read */
 	int lastc;	  /* last char written */
 	char buf[64 * 1024];
     } iobuf;
@@ -269,9 +269,9 @@ main(int argc, char *argv[])
 	    if (dval <= 0.0) {
 		sudo_timespecclear(&max_delay_storage);
 	    } else {
-		max_delay_storage.tv_sec = dval;
+		max_delay_storage.tv_sec = (time_t)dval;
-		max_delay_storage.tv_nsec =
+		max_delay_storage.tv_nsec = (long)
-		    (dval - max_delay_storage.tv_sec) * 1000000000.0;
+		    ((dval - (double)max_delay_storage.tv_sec) * 1000000000.0);
 	    }
 	    max_delay = &max_delay_storage;
 	    break;
@@ -857,7 +857,7 @@ fill_iobuf(struct replay_closure *closure)
 	if (nread <= 0) {
 	    if (nread == 0) {
 		sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
-		    "%s/%s: premature EOF, expected %u bytes",
+		    "%s/%s: premature EOF, expected %zu bytes",
 		    closure->iolog_dir, iolog_fd_to_name(timing->event),
 		    closure->iobuf.toread);
 	    } else {
@@ -869,8 +869,8 @@ fill_iobuf(struct replay_closure *closure)
 		closure->iolog_dir, iolog_fd_to_name(timing->event), errstr);
 	    debug_return_bool(false);
 	}
-	closure->iobuf.toread -= nread;
+	closure->iobuf.toread -= (size_t)nread;
-	closure->iobuf.len += nread;
+	closure->iobuf.len += (size_t)nread;
     }
 
     debug_return_bool(true);
@@ -1096,10 +1096,11 @@ write_output(int fd, int what, void *v)
     struct replay_closure *closure = v;
     const struct timing_closure *timing = &closure->timing;
     struct io_buffer *iobuf = &closure->iobuf;
-    unsigned iovcnt = 1;
+    int iovcnt = 1;
     struct iovec iov[2];
     bool added_cr = false;
-    size_t nbytes, nwritten;
+    size_t nbytes;
+    ssize_t nwritten;
     debug_decl(write_output, SUDO_DEBUG_UTIL);
 
     /* Refill iobuf if there is more to read and buf is empty. */
@@ -1136,7 +1137,7 @@ write_output(int fd, int what, void *v)
     }
 
     nwritten = writev(fd, iov, iovcnt);
-    switch ((ssize_t)nwritten) {
+    switch (nwritten) {
     case -1:
 	if (errno != EINTR && errno != EAGAIN)
 	    sudo_fatal(U_("unable to write to %s"), "stdout");
@@ -1145,9 +1146,9 @@ write_output(int fd, int what, void *v)
 	/* Should not happen. */
 	break;
     default:
-	if (added_cr && nwritten >= nbytes - 1) {
+	if (added_cr && (size_t)nwritten >= nbytes - 1) {
 	    /* The last char written was either '\r' or '\n'. */
-	    iobuf->lastc = nwritten == nbytes ? '\n' : '\r';
+	    iobuf->lastc = (size_t)nwritten == nbytes ? '\n' : '\r';
 	} else {
 	    /* Stash the last char written. */
 	    iobuf->lastc = *((char *)iov[0].iov_base + nwritten);
@@ -1156,7 +1157,7 @@ write_output(int fd, int what, void *v)
 	    /* Subtract one for the carriage return we added above. */
 	    nwritten--;
 	}
-	iobuf->off += nwritten;
+	iobuf->off += (size_t)nwritten;
 	break;
     }
 
@@ -1266,7 +1267,7 @@ parse_expr(struct search_node_list *head, char *argv[], bool sub_expr)
 		goto bad;
 	    if (!sub_expr)
 		sudo_fatalx("%s", U_("unmatched ')' in expression"));
-	    debug_return_int(av - argv + 1);
+	    debug_return_int((int)(av - argv) + 1);
 	default:
 	bad:
 	    sudo_fatalx(U_("unknown search term \"%s\""), *av);
@@ -1309,7 +1310,7 @@ parse_expr(struct search_node_list *head, char *argv[], bool sub_expr)
     if (not)
 	sudo_fatalx("%s", U_("illegal trailing \"!\""));
 
-    debug_return_int(av - argv);
+    debug_return_int((int)(av - argv));
 }
 
 static char *
@@ -1550,11 +1551,11 @@ find_sessions(const char *dir, regex_t *re, const char *user, const char *tty)
 
 	    /* Check for dir with a log file. */
 	    if (lstat(pathbuf, &sb) == 0 && S_ISREG(sb.st_mode)) {
-		pathbuf[sdlen + len - 4] = '\0';
+		pathbuf[sdlen + (size_t)(len - 4)] = '\0';
 		list_session(&lbuf, pathbuf, re, user, tty);
 	    } else {
 		/* Strip off "/log" and recurse if a non-log dir. */
-		pathbuf[sdlen + len - 4] = '\0';
+		pathbuf[sdlen + (size_t)(len - 4)] = '\0';
 		if (checked_type ||
 		    (lstat(pathbuf, &sb) == 0 && S_ISDIR(sb.st_mode)))
 		    find_sessions(pathbuf, re, user, tty);

plugins/sudoers/testsudoers.c

@@ -264,8 +264,8 @@ main(int argc, char *argv[])
 	if ((user_args = malloc(size)) == NULL)
 	    sudo_fatalx(U_("%s: %s"), __func__, U_("unable to allocate memory"));
 	for (to = user_args, from = argv; *from; from++) {
-	    n = strlcpy(to, *from, size - (to - user_args));
+	    n = strlcpy(to, *from, size - (size_t)(to - user_args));
-	    if (n >= size - (to - user_args))
+	    if (n >= size - (size_t)(to - user_args))
 		sudo_fatalx(U_("internal error, %s overflow"), getprogname());
 	    to += n;
 	    *to++ = ' ';

plugins/sudoers/timeout.c

@@ -50,7 +50,7 @@ parse_timeout(const char *timestr)
 
     do {
 	char *ep;
-	char ch;
+	int ch;
 	long l;
 
 	/* Parse number, must be present and positive. */
@@ -99,7 +99,7 @@ parse_timeout(const char *timestr)
 	}
 	cp = ep;
 
-	timeout += l;
+	timeout += (int)l;
     } while (*cp != '\0');
 
     debug_return_int(timeout);

plugins/sudoers/timestamp.c

@@ -390,8 +390,8 @@ ts_write(int fd, const char *fname, struct timestamp_entry *entry, off_t offset)
  * based on auth user pw.  Does not set the time stamp.
  */
 static void
-ts_init_key(struct timestamp_entry *entry, struct passwd *pw, int flags,
+ts_init_key(struct timestamp_entry *entry, struct passwd *pw,
-    enum def_tuple ticket_type)
+    unsigned short flags, enum def_tuple ticket_type)
 {
     struct stat sb;
     debug_decl(ts_init_key, SUDOERS_DEBUG_AUTH);
@@ -438,7 +438,8 @@ ts_init_key(struct timestamp_entry *entry, struct passwd *pw, int flags,
 }
 
 static void
-ts_init_key_nonglobal(struct timestamp_entry *entry, struct passwd *pw, int flags)
+ts_init_key_nonglobal(struct timestamp_entry *entry, struct passwd *pw,
+    unsigned short flags)
 {
     /*
      * Even if the timestamp type is global or kernel we still want to do
@@ -701,7 +702,7 @@ timestamp_lock(void *vcookie, struct passwd *pw)
 	    /* Old sudo record, convert it to TS_LOCKEXCL. */
 	    entry.type = TS_LOCKEXCL;
 	    memset((char *)&entry + offsetof(struct timestamp_entry, flags), 0,
-		nread - offsetof(struct timestamp_entry, flags));
+		(size_t)nread - offsetof(struct timestamp_entry, flags));
 	    if (ts_write(cookie->fd, cookie->fname, &entry, 0) == -1)
 		debug_return_bool(false);
 	} else {
@@ -977,7 +978,7 @@ timestamp_update(void *vcookie, struct passwd *pw)
     if (def_timestamp_type == kernel) {
 	int fd = open(_PATH_TTY, O_RDWR);
 	if (fd != -1) {
-	    int secs = def_timestamp_timeout.tv_sec;
+	    int secs = (int)def_timestamp_timeout.tv_sec;
 	    if (secs > 0) {
 		if (secs > 3600)
 		    secs = 3600;	/* OpenBSD limitation */

plugins/sudoers/toke.c

@@ -3324,7 +3324,7 @@ static int prev_state;
 static unsigned int digest_type = SUDO_DIGEST_INVALID;
 
 static bool pop_include(void);
-static yy_size_t sudoers_input(char *buf, yy_size_t max_size);
+static int sudoers_input(char *buf, yy_size_t max_size);
 
 #ifndef TRACELEXER
 static struct sudo_lbuf trace_lbuf;
@@ -3332,18 +3332,18 @@ static struct sudo_lbuf trace_lbuf;
 
 int (*trace_print)(const char *msg) = sudoers_trace_print;
 
-#define ECHO	ignore_result(fwrite(sudoerstext, sudoersleng, 1, sudoersout))
+#define ECHO	ignore_result(fwrite(sudoerstext, (size_t)sudoersleng, 1, sudoersout))
 
-#define YY_INPUT(buf, result, max_size)	(result) = sudoers_input(buf, max_size)
+#define YY_INPUT(buf, result, max_size)	(result) = sudoers_input(buf, (yy_size_t)(max_size))
 
 #define YY_USER_ACTION do {					\
 	sudolinebuf.toke_start = sudolinebuf.toke_end;		\
-	sudolinebuf.toke_end += sudoersleng;			\
+	sudolinebuf.toke_end += (size_t)sudoersleng;		\
 } while (0);
 
 #define sudoersless(n) do {					\
-	sudolinebuf.toke_end = sudolinebuf.toke_start + (n);	\
+	sudolinebuf.toke_end = sudolinebuf.toke_start + (size_t)(n);	\
-	yyless(n);						\
+	yyless((int)n);						\
 } while (0);
 
 #line 3344 "toke.c"
@@ -3906,9 +3906,9 @@ YY_RULE_SETUP
 #line 319 "toke.l"
 {
 			    /* Only return DIGEST if the length is correct. */
-			    yy_size_t digest_len =
+			    int digest_len =
 				sudo_digest_getlen(digest_type);
-			    if ((yy_size_t)sudoersleng == digest_len * 2) {
+			    if (sudoersleng == digest_len * 2) {
 				if (!fill(sudoerstext, sudoersleng))
 				    yyterminate();
 				BEGIN INITIAL;
@@ -3924,7 +3924,7 @@ YY_RULE_SETUP
 #line 334 "toke.l"
 {
 			    /* Only return DIGEST if the length is correct. */
-			    yy_size_t len, digest_len =
+			    int len, digest_len =
 				sudo_digest_getlen(digest_type);
 			    if (sudoerstext[sudoersleng - 1] == '=') {
 				/* use padding */
@@ -3933,7 +3933,7 @@ YY_RULE_SETUP
 				/* no padding */
 				len = (4 * digest_len + 2) / 3;
 			    }
-			    if ((yy_size_t)sudoersleng == len) {
+			    if (sudoersleng == len) {
 				if (!fill(sudoerstext, sudoersleng))
 				    yyterminate();
 				BEGIN INITIAL;
@@ -5987,7 +5987,7 @@ expand_include(const char *src)
     dst_size = 0;
     for (cp = sudo_strsplit(path, path_end, ":", &ep); cp != NULL;
 	    cp = sudo_strsplit(NULL, path_end, ":", &ep)) {
-	char *dirend = memrchr(cp, '/', ep - cp);
+	char *dirend = memrchr(cp, '/', (size_t)(ep - cp));
 	if (dirend != NULL) {
 	    dst_size += (size_t)(dirend - cp) + 1;
 	}
@@ -6014,7 +6014,7 @@ expand_include(const char *src)
 	    dst_size--;
 	}
 
-	dirend = memrchr(cp, '/', ep - cp);
+	dirend = memrchr(cp, '/', (size_t)(ep - cp));
 	if (dirend != NULL) {
 	    len = (size_t)(dirend - cp) + 1;
 	    if (len >= dst_size)
@@ -6250,7 +6250,7 @@ sudoers_trace_print(const char *msg)
 int
 sudoers_trace_print(const char *msg)
 {
-    const int sudo_debug_subsys = SUDOERS_DEBUG_PARSER;
+    const unsigned int sudo_debug_subsys = SUDOERS_DEBUG_PARSER;
 
     if (sudo_debug_needed(SUDO_DEBUG_DEBUG)) {
 	sudo_lbuf_append(&trace_lbuf, "%s", msg);
@@ -6273,7 +6273,7 @@ sudoers_trace_print(const char *msg)
  * On success, buf is guaranteed to end in a newline and not contain
  * embedded NULs.  Calls YY_FATAL_ERROR on error.
  */
-static yy_size_t
+static int
 sudoers_input(char *buf, yy_size_t max_size)
 {
     char *cp;
@@ -6291,12 +6291,12 @@ sudoers_input(char *buf, yy_size_t max_size)
 	if (ch == EOF)
 	    goto sudoers_eof;
 	ungetc(ch, sudoersin);
-	avail = getdelim(&sudolinebuf.buf, &sudolinebuf.size, '\n', sudoersin);
+	avail = (size_t)getdelim(&sudolinebuf.buf, &sudolinebuf.size, '\n', sudoersin);
 	if (avail == (size_t)-1) {
 sudoers_eof:
 	    /* EOF or error. */
 	    if (feof(sudoersin))
-		return 0;
+		debug_return_int(0);
 	    YY_FATAL_ERROR("input in flex scanner failed");
 	}
 
@@ -6314,7 +6314,7 @@ sudoers_eof:
 		cp = realloc(sudolinebuf.buf, avail + 2);
 		if (cp == NULL) {
 		    YY_FATAL_ERROR("unable to allocate memory");
-		    return 0;
+		    debug_return_int(0);
 		}
 		sudolinebuf.buf = cp;
 		sudolinebuf.size = avail + 2;
@@ -6336,6 +6336,6 @@ sudoers_eof:
     memcpy(buf, sudolinebuf.buf + sudolinebuf.off, avail);
     sudolinebuf.off += avail;
 
-    debug_return_size_t(avail);
+    debug_return_int((int)avail);
 }
 

plugins/sudoers/toke.h

@@ -34,10 +34,10 @@ extern struct sudolinebuf sudolinebuf;
 extern int sudolineno;
 extern char *sudoers_search_path;
 
-bool append(const char *, size_t);
+bool append(const char *, int);
-bool fill_args(const char *, size_t, int);
+bool fill_args(const char *, int, bool);
-bool fill_cmnd(const char *, size_t);
+bool fill_cmnd(const char *, int);
-bool fill(const char *, size_t);
+bool fill(const char *, int);
 void init_lexer(void);
 bool ipv6_valid(const char *s);
 int sudoers_trace_print(const char *);

plugins/sudoers/toke.l

@@ -64,7 +64,7 @@ static int prev_state;
 static unsigned int digest_type = SUDO_DIGEST_INVALID;
 
 static bool pop_include(void);
-static yy_size_t sudoers_input(char *buf, yy_size_t max_size);
+static int sudoers_input(char *buf, yy_size_t max_size);
 
 #ifndef TRACELEXER
 static struct sudo_lbuf trace_lbuf;
@@ -72,18 +72,18 @@ static struct sudo_lbuf trace_lbuf;
 
 int (*trace_print)(const char *msg) = sudoers_trace_print;
 
-#define ECHO	ignore_result(fwrite(sudoerstext, sudoersleng, 1, sudoersout))
+#define ECHO	ignore_result(fwrite(sudoerstext, (size_t)sudoersleng, 1, sudoersout))
 
-#define YY_INPUT(buf, result, max_size)	(result) = sudoers_input(buf, max_size)
+#define YY_INPUT(buf, result, max_size)	(result) = sudoers_input(buf, (yy_size_t)(max_size))
 
 #define YY_USER_ACTION do {					\
 	sudolinebuf.toke_start = sudolinebuf.toke_end;		\
-	sudolinebuf.toke_end += sudoersleng;			\
+	sudolinebuf.toke_end += (size_t)sudoersleng;		\
 } while (0);
 
 #define sudoersless(n) do {					\
-	sudolinebuf.toke_end = sudolinebuf.toke_start + (n);	\
+	sudolinebuf.toke_end = sudolinebuf.toke_start + (size_t)(n);	\
-	yyless(n);						\
+	yyless((int)n);						\
 } while (0);
 
 %}
@@ -318,9 +318,9 @@ DEFVAR			[a-z_]+
 
 <WANTDIGEST>[[:xdigit:]]+ {
 			    /* Only return DIGEST if the length is correct. */
-			    yy_size_t digest_len =
+			    int digest_len =
 				sudo_digest_getlen(digest_type);
-			    if ((yy_size_t)sudoersleng == digest_len * 2) {
+			    if (sudoersleng == digest_len * 2) {
 				if (!fill(sudoerstext, sudoersleng))
 				    yyterminate();
 				BEGIN INITIAL;
@@ -333,7 +333,7 @@ DEFVAR			[a-z_]+
 
 <WANTDIGEST>[A-Za-z0-9\+/=]+ {
 			    /* Only return DIGEST if the length is correct. */
-			    yy_size_t len, digest_len =
+			    int len, digest_len =
 				sudo_digest_getlen(digest_type);
 			    if (sudoerstext[sudoersleng - 1] == '=') {
 				/* use padding */
@@ -342,7 +342,7 @@ DEFVAR			[a-z_]+
 				/* no padding */
 				len = (4 * digest_len + 2) / 3;
 			    }
-			    if ((yy_size_t)sudoersleng == len) {
+			    if (sudoersleng == len) {
 				if (!fill(sudoerstext, sudoersleng))
 				    yyterminate();
 				BEGIN INITIAL;
@@ -1208,7 +1208,7 @@ expand_include(const char *src)
     dst_size = 0;
     for (cp = sudo_strsplit(path, path_end, ":", &ep); cp != NULL;
 	    cp = sudo_strsplit(NULL, path_end, ":", &ep)) {
-	char *dirend = memrchr(cp, '/', ep - cp);
+	char *dirend = memrchr(cp, '/', (size_t)(ep - cp));
 	if (dirend != NULL) {
 	    dst_size += (size_t)(dirend - cp) + 1;
 	}
@@ -1235,7 +1235,7 @@ expand_include(const char *src)
 	    dst_size--;
 	}
 
-	dirend = memrchr(cp, '/', ep - cp);
+	dirend = memrchr(cp, '/', (size_t)(ep - cp));
 	if (dirend != NULL) {
 	    len = (size_t)(dirend - cp) + 1;
 	    if (len >= dst_size)
@@ -1471,7 +1471,7 @@ sudoers_trace_print(const char *msg)
 int
 sudoers_trace_print(const char *msg)
 {
-    const int sudo_debug_subsys = SUDOERS_DEBUG_PARSER;
+    const unsigned int sudo_debug_subsys = SUDOERS_DEBUG_PARSER;
 
     if (sudo_debug_needed(SUDO_DEBUG_DEBUG)) {
 	sudo_lbuf_append(&trace_lbuf, "%s", msg);
@@ -1494,7 +1494,7 @@ sudoers_trace_print(const char *msg)
  * On success, buf is guaranteed to end in a newline and not contain
  * embedded NULs.  Calls YY_FATAL_ERROR on error.
  */
-static yy_size_t
+static int
 sudoers_input(char *buf, yy_size_t max_size)
 {
     char *cp;
@@ -1512,12 +1512,12 @@ sudoers_input(char *buf, yy_size_t max_size)
 	if (ch == EOF)
 	    goto sudoers_eof;
 	ungetc(ch, sudoersin);
-	avail = getdelim(&sudolinebuf.buf, &sudolinebuf.size, '\n', sudoersin);
+	avail = (size_t)getdelim(&sudolinebuf.buf, &sudolinebuf.size, '\n', sudoersin);
 	if (avail == (size_t)-1) {
 sudoers_eof:
 	    /* EOF or error. */
 	    if (feof(sudoersin))
-		return 0;
+		debug_return_int(0);
 	    YY_FATAL_ERROR("input in flex scanner failed");
 	}
 
@@ -1535,7 +1535,7 @@ sudoers_eof:
 		cp = realloc(sudolinebuf.buf, avail + 2);
 		if (cp == NULL) {
 		    YY_FATAL_ERROR("unable to allocate memory");
-		    return 0;
+		    debug_return_int(0);
 		}
 		sudolinebuf.buf = cp;
 		sudolinebuf.size = avail + 2;
@@ -1557,5 +1557,5 @@ sudoers_eof:
     memcpy(buf, sudolinebuf.buf + sudolinebuf.off, avail);
     sudolinebuf.off += avail;
 
-    debug_return_size_t(avail);
+    debug_return_int((int)avail);
 }

plugins/sudoers/toke_util.c

@@ -37,8 +37,8 @@
 #include "toke.h"
 #include <gram.h>
 
-static unsigned int arg_len = 0;
+static size_t arg_len = 0;
-static unsigned int arg_size = 0;
+static size_t arg_size = 0;
 
 /*
  * Copy the string and collapse any escaped characters.
@@ -52,7 +52,7 @@ copy_string(char *dst, const char *src, size_t len)
     while (len--) {
 	if (*src == '\\' && len) {
 	    if (src[1] == 'x' && len >= 3 && (h = sudo_hexchar(src + 2)) != -1) {
-		*dst++ = h;
+		*dst++ = (char)h;
 		src += 4;
 		len -= 3;
 	    } else {
@@ -68,8 +68,9 @@ copy_string(char *dst, const char *src, size_t len)
 }
 
 bool
-fill(const char *src, size_t len)
+fill(const char *src, int ilen)
 {
+    const size_t len = (size_t)ilen;
     char *dst;
     debug_decl(fill, SUDOERS_DEBUG_PARSER);
 
@@ -87,8 +88,9 @@ fill(const char *src, size_t len)
 }
 
 bool
-append(const char *src, size_t len)
+append(const char *src, int ilen)
 {
+    const size_t len = (size_t)ilen;
     size_t olen = 0;
     char *dst;
     debug_decl(append, SUDOERS_DEBUG_PARSER);
@@ -118,8 +120,9 @@ append(const char *src, size_t len)
     ((c) == ',' || (c) == ':' || (c) == '=' || (c) == ' ' || (c) == '\t' || (c) == '#')
 
 bool
-fill_cmnd(const char *src, size_t len)
+fill_cmnd(const char *src, int ilen)
 {
+    const size_t len = (size_t)ilen;
     char *dst;
     size_t i;
     debug_decl(fill_cmnd, SUDOERS_DEBUG_PARSER);
@@ -170,9 +173,10 @@ fill_cmnd(const char *src, size_t len)
 }
 
 bool
-fill_args(const char *s, size_t len, int addspace)
+fill_args(const char *s, int ilen, bool addspace)
 {
-    unsigned int new_len;
+    size_t len = (size_t)ilen;
+    size_t new_len;
     char *p;
     debug_decl(fill_args, SUDOERS_DEBUG_PARSER);
 
@@ -192,7 +196,7 @@ fill_args(const char *s, size_t len, int addspace)
 
     if (new_len >= arg_size) {
 	/* Allocate in increments of 128 bytes to avoid excessive realloc(). */
-	arg_size = (new_len + 1 + 127) & ~127;
+	arg_size = (new_len + 1 + 127) & ~127U;
 
 	parser_leak_remove(LEAK_PTR, sudoerslval.command.args);
 	p = realloc(sudoerslval.command.args, arg_size);
@@ -208,7 +212,7 @@ fill_args(const char *s, size_t len, int addspace)
     p = sudoerslval.command.args + arg_len;
     if (addspace)
 	*p++ = ' ';
-    len = arg_size - (p - sudoerslval.command.args);
+    len = arg_size - (size_t)(p - sudoerslval.command.args);
     if (strlcpy(p, s, len) >= len) {
 	sudo_warnx(U_("internal error, %s overflow"), __func__);
 	parser_leak_remove(LEAK_PTR, sudoerslval.command.args);

plugins/sudoers/tsgetgrpw.c

@@ -360,7 +360,7 @@ testsudoers_getgrouplist2(const char *name, GETGROUPS_T basegid,
 	grpsize = sysconf(_SC_NGROUPS_MAX);
 	if (grpsize < 0)
 	    grpsize = NGROUPS_MAX;
-	groups = reallocarray(NULL, grpsize, 4 * sizeof(*groups));
+	groups = reallocarray(NULL, (size_t)grpsize, 4 * sizeof(*groups));
 	if (groups == NULL)
 	    return -1;
 	grpsize <<= 2;
@@ -398,7 +398,7 @@ testsudoers_getgrouplist2(const char *name, GETGROUPS_T basegid,
 		    /* Static group vector. */
 		    goto done;
 		}
-		tmp = reallocarray(groups, grpsize, 2 * sizeof(*groups));
+		tmp = reallocarray(groups, (size_t)grpsize, 2 * sizeof(*groups));
 		if (tmp == NULL) {
 		    free(groups);
 		    groups = NULL;

plugins/sudoers/visudo.c

@@ -514,7 +514,7 @@ edit_sudoers(struct sudoersfile *sp, char *editor, int editor_argc,
 
 	    (void) lseek(sp->fd, (off_t)0, SEEK_SET);
 	    while ((nread = read(sp->fd, buf, sizeof(buf))) > 0) {
-		if (write(tfd, buf, nread) != nread)
+		if (write(tfd, buf, (size_t)nread) == -1)
 		    sudo_fatal("%s", U_("write error"));
 		lastch = buf[nread - 1];
 	    }
@@ -522,7 +522,7 @@ edit_sudoers(struct sudoersfile *sp, char *editor, int editor_argc,
 	    /* Add missing newline at EOF if needed. */
 	    if (lastch != '\n') {
 		lastch = '\n';
-		if (write(tfd, &lastch, 1) != 1)
+		if (write(tfd, &lastch, 1) == -1)
 		    sudo_fatal("%s", U_("write error"));
 	    }
 	}
@@ -1068,7 +1068,7 @@ new_sudoers(const char *path, bool doedit)
 	cp != NULL; cp = sudo_strsplit(NULL, path_end, ":", &ep)) {
 
 	char fname[PATH_MAX];
-	len = ep - cp;
+	len = (size_t)(ep - cp);
 	if (len >= sizeof(fname)) {
 	    errno = ENAMETOOLONG;
 	    break;