Index: usr.bin/bsdiff/bspatch/bspatch.c
===================================================================
--- usr.bin/bsdiff/bspatch/bspatch.c
+++ usr.bin/bsdiff/bspatch/bspatch.c
@@ -30,6 +30,7 @@
 #include <bzlib.h>
 #include <err.h>
 #include <fcntl.h>
+#include <limits.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -72,8 +73,8 @@
 	BZFILE *cpfbz2, *dpfbz2, *epfbz2;
 	int cbz2err, dbz2err, ebz2err;
 	int newfd, oldfd;
-	ssize_t oldsize, newsize;
-	ssize_t bzctrllen, bzdatalen;
+	off_t oldsize, newsize;
+	off_t bzctrllen, bzdatalen;
 	u_char header[32], buf[8];
 	u_char *old, *new;
 	off_t oldpos, newpos;
@@ -117,7 +118,9 @@
 	bzctrllen = offtin(header + 8);
 	bzdatalen = offtin(header + 16);
 	newsize = offtin(header + 24);
-	if ((bzctrllen < 0) || (bzdatalen < 0) || (newsize < 0))
+	if (bzctrllen < 0 || bzctrllen > OFF_MAX - 32 ||
+	    bzdatalen < 0 || bzctrllen + 32 > OFF_MAX - bzdatalen ||
+	    newsize < 0 || newsize > SSIZE_MAX)
 		errx(1, "Corrupt patch\n");
 
 	/* Close patch file and re-open it via libbzip2 at the right places */
@@ -149,12 +152,13 @@
 	if (oldfd < 0)
 		err(1, "%s", argv[1]);
 	if ((oldsize = lseek(oldfd, 0, SEEK_END)) == -1 ||
-	    (old = malloc(oldsize+1)) == NULL ||
+	    oldsize > SSIZE_MAX ||
+	    (old = malloc(oldsize)) == NULL ||
 	    lseek(oldfd, 0, SEEK_SET) != 0 ||
 	    read(oldfd, old, oldsize) != oldsize ||
 	    close(oldfd) == -1)
 		err(1, "%s", argv[1]);
-	if ((new = malloc(newsize + 1)) == NULL)
+	if ((new = malloc(newsize)) == NULL)
 		err(1, NULL);
 
 	oldpos = 0;
@@ -170,7 +174,8 @@
 		}
 
 		/* Sanity-check */
-		if ((ctrl[0] < 0) || (ctrl[1] < 0))
+		if (ctrl[0] < 0 || ctrl[0] > INT_MAX ||
+		    ctrl[1] < 0 || ctrl[1] > INT_MAX)
 			errx(1, "Corrupt patch\n");
 
 		/* Sanity-check */