diff --git a/include/sudo_iolog.h b/include/sudo_iolog.h
index 7535e284b..0e7082b03 100644
--- a/include/sudo_iolog.h
+++ b/include/sudo_iolog.h
@@ -150,6 +150,6 @@ void *iolog_pwfilt_alloc(void);
 bool iolog_pwfilt_add(void *handle, const char *pattern);
 void iolog_pwfilt_free(void *handle);
 bool iolog_pwfilt_remove(void *handle, const char *pattern);
-bool iolog_pwfilt_run(void *handle, int event, const char *buf, unsigned int len, char **newbuf);
+bool iolog_pwfilt_run(void *handle, int event, const char *buf, size_t len, char **newbuf);
 
 #endif /* SUDO_IOLOG_H */
diff --git a/lib/iolog/hostcheck.c b/lib/iolog/hostcheck.c
index 2996e61b3..9212c592d 100644
--- a/lib/iolog/hostcheck.c
+++ b/lib/iolog/hostcheck.c
@@ -130,7 +130,7 @@ static HostnameValidationResult
 validate_name(const char *hostname, ASN1_STRING *certname_asn1)
 {
     char *certname_s = (char *) ASN1_STRING_get0_data(certname_asn1);
-    size_t certname_len = ASN1_STRING_length(certname_asn1);
+    size_t certname_len = (size_t)ASN1_STRING_length(certname_asn1);
     size_t hostname_len = strlen(hostname);
     debug_decl(validate_name, SUDO_DEBUG_UTIL);
 
@@ -207,20 +207,19 @@ matches_common_name(const char *hostname, const char *ipaddr, const X509 *cert,
 		debug_return_int(Error);
 	}			
 	const unsigned char *common_name_str = ASN1_STRING_get0_data(common_name_asn1);
+	const size_t common_name_length = (size_t)ASN1_STRING_length(common_name_asn1);
 
 	/* Make sure there isn't an embedded NUL character in the CN */
-    if (memchr(common_name_str, '\0', ASN1_STRING_length(common_name_asn1)) != NULL) {
+	if (memchr(common_name_str, '\0', common_name_length) != NULL) {
 		debug_return_int(MalformedCertificate);
 	}
 
 	/* Compare expected hostname with the CN */
-    if (validate_name(hostname, common_name_asn1) == MatchFound) {
+	if (validate_name(hostname, common_name_asn1) == MatchFound) {
 		debug_return_int(MatchFound);
 	}
 
-    int common_name_length = ASN1_STRING_length(common_name_asn1);
     char *nullterm_common_name = malloc(common_name_length + 1);
-
     if (nullterm_common_name == NULL) {
 	debug_return_int(Error);
     }
@@ -283,9 +282,10 @@ matches_subject_alternative_name(const char *hostname, const char *ipaddr, const
 
         if (current_name->type == GEN_DNS) {
             const unsigned char *dns_name = ASN1_STRING_get0_data(current_name->d.dNSName);
+	    const size_t dns_name_length = (size_t)ASN1_STRING_length(current_name->d.dNSName);
 
             /* Make sure there isn't an embedded NUL character in the DNS name */
-            if (memchr(dns_name, '\0', ASN1_STRING_length(current_name->d.dNSName)) != NULL) {
+            if (memchr(dns_name, '\0', dns_name_length) != NULL) {
                 result = MalformedCertificate;
                 break;
             } else {
@@ -295,9 +295,7 @@ matches_subject_alternative_name(const char *hostname, const char *ipaddr, const
                     break;
                 }
 
-                size_t dns_name_length = ASN1_STRING_length(current_name->d.dNSName);
                 char *nullterm_dns_name = malloc(dns_name_length + 1);
-
                 if (nullterm_dns_name == NULL) {
                     debug_return_int(Error);
                 }
diff --git a/lib/iolog/iolog_filter.c b/lib/iolog/iolog_filter.c
index ecccf18de..397a3a0da 100644
--- a/lib/iolog/iolog_filter.c
+++ b/lib/iolog/iolog_filter.c
@@ -177,7 +177,7 @@ iolog_pwfilt_remove(void *vhandle, const char *pattern)
  */
 bool
 iolog_pwfilt_run(void *vhandle, int event, const char *buf,
-    unsigned int len, char **newbuf)
+    size_t len, char **newbuf)
 {
     struct pwfilt_handle *handle = vhandle;
     struct pwfilt_regex *filt;
diff --git a/lib/iolog/iolog_legacy.c b/lib/iolog/iolog_legacy.c
index 5d987ae8f..3a2a5c551 100644
--- a/lib/iolog/iolog_legacy.c
+++ b/lib/iolog/iolog_legacy.c
@@ -145,14 +145,14 @@ iolog_parse_loginfo_legacy(FILE *fp, const char *iolog_dir,
 	if ((ep = strchr(cp, ':')) != NULL) {
 	    *ep = '\0';
 	}
-	evlog->lines = sudo_strtonum(cp, 1, INT_MAX, &errstr);
+	evlog->lines = (int)sudo_strtonum(cp, 1, INT_MAX, &errstr);
 	if (errstr != NULL) {
 	    sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
 		"%s: tty lines %s: %s", iolog_dir, cp, errstr);
 	}
 	if (ep != NULL) {
 	    cp = ep + 1;
-	    evlog->columns = sudo_strtonum(cp, 1, INT_MAX, &errstr);
+	    evlog->columns = (int)sudo_strtonum(cp, 1, INT_MAX, &errstr);
 	    if (errstr != NULL) {
 		sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO,
 		    "%s: tty cols %s: %s", iolog_dir, cp, errstr);
diff --git a/lib/iolog/iolog_mkdirs.c b/lib/iolog/iolog_mkdirs.c
index c9ab980c4..8dc1b3982 100644
--- a/lib/iolog/iolog_mkdirs.c
+++ b/lib/iolog/iolog_mkdirs.c
@@ -104,7 +104,8 @@ iolog_mkdirs(const char *path)
 	/* Try again as the I/O log owner (for NFS). */
 	uid_changed = iolog_swapids(false);
 	if (uid_changed)
-	    dfd = sudo_open_parent_dir(path, -1, -1, iolog_dirmode, false);
+	    dfd = sudo_open_parent_dir(path, (uid_t)-1, (gid_t)-1,
+		iolog_dirmode, false);
     }
     if (dfd != -1) {
 	/* Create final path component. */
diff --git a/lib/iolog/iolog_mkdtemp.c b/lib/iolog/iolog_mkdtemp.c
index cf06a6ca6..4d43a6ab9 100644
--- a/lib/iolog/iolog_mkdtemp.c
+++ b/lib/iolog/iolog_mkdtemp.c
@@ -66,7 +66,8 @@ iolog_mkdtemp(char *path)
 	/* Try again as the I/O log owner (for NFS). */
 	uid_changed = iolog_swapids(false);
 	if (uid_changed)
-	    dfd = sudo_open_parent_dir(path, -1, -1, iolog_dirmode, false);
+	    dfd = sudo_open_parent_dir(path, (uid_t)-1, (gid_t)-1,
+		iolog_dirmode, false);
     }
     if (dfd != -1) {
 	/* Create final path component. */
diff --git a/lib/iolog/iolog_read.c b/lib/iolog/iolog_read.c
index 71f778a14..928106326 100644
--- a/lib/iolog/iolog_read.c
+++ b/lib/iolog/iolog_read.c
@@ -48,7 +48,7 @@ iolog_read(struct iolog_file *iol, void *buf, size_t nbytes,
     ssize_t nread;
     debug_decl(iolog_read, SUDO_DEBUG_UTIL);
 
-    if (nbytes > UINT_MAX) {
+    if (nbytes > UINT_MAX || nbytes > SSIZE_MAX) {
 	errno = EINVAL;
 	if (errstr != NULL)
 	    *errstr = strerror(errno);
@@ -57,7 +57,7 @@ iolog_read(struct iolog_file *iol, void *buf, size_t nbytes,
 
 #ifdef HAVE_ZLIB_H
     if (iol->compressed) {
-	if ((nread = gzread(iol->fd.g, buf, nbytes)) == -1) {
+	if ((nread = gzread(iol->fd.g, buf, (unsigned int)nbytes)) == -1) {
 	    if (errstr != NULL) {
 		int errnum;
 		*errstr = gzerror(iol->fd.g, &errnum);
@@ -69,7 +69,7 @@ iolog_read(struct iolog_file *iol, void *buf, size_t nbytes,
 #endif
     {
 	nread = (ssize_t)fread(buf, 1, nbytes, iol->fd.f);
-	if (nread == 0 && ferror(iol->fd.f)) {
+	if (nread <= 0 && ferror(iol->fd.f)) {
 	    nread = -1;
 	    if (errstr != NULL)
 		*errstr = strerror(errno);
diff --git a/lib/iolog/iolog_timing.c b/lib/iolog/iolog_timing.c
index 9eddce8ea..b401f7b7f 100644
--- a/lib/iolog/iolog_timing.c
+++ b/lib/iolog/iolog_timing.c
@@ -53,15 +53,15 @@ void
 iolog_adjust_delay(struct timespec *delay, struct timespec *max_delay,
      double scale_factor)
 {
-    double seconds;
     debug_decl(iolog_adjust_delay, SUDO_DEBUG_UTIL);
 
     if (scale_factor != 1.0) {
 	/* Order is important: we don't want to double the remainder. */
-        seconds = (double)delay->tv_sec / scale_factor;
+	const double seconds = (double)delay->tv_sec / scale_factor;
+	const double nseconds = (double)delay->tv_nsec / scale_factor;
         delay->tv_sec = (time_t)seconds;
-        delay->tv_nsec /= scale_factor;
-        delay->tv_nsec += (seconds - delay->tv_sec) * 1000000000;
+        delay->tv_nsec = (long)nseconds;
+        delay->tv_nsec += (long)((seconds - (double)delay->tv_sec) * 1000000000);
         while (delay->tv_nsec >= 1000000000) {
             delay->tv_sec++;
             delay->tv_nsec -= 1000000000;
diff --git a/lib/iolog/iolog_write.c b/lib/iolog/iolog_write.c
index 82a3f6dee..3d8443392 100644
--- a/lib/iolog/iolog_write.c
+++ b/lib/iolog/iolog_write.c
@@ -48,7 +48,7 @@ iolog_write(struct iolog_file *iol, const void *buf, size_t len,
     ssize_t ret;
     debug_decl(iolog_write, SUDO_DEBUG_UTIL);
 
-    if (len > UINT_MAX) {
+    if (len > UINT_MAX || len > SSIZE_MAX) {
 	errno = EINVAL;
 	if (errstr != NULL)
 	    *errstr = strerror(errno);
@@ -59,7 +59,7 @@ iolog_write(struct iolog_file *iol, const void *buf, size_t len,
     if (iol->compressed) {
 	int errnum;
 
-	ret = gzwrite(iol->fd.g, (const voidp)buf, len);
+	ret = gzwrite(iol->fd.g, buf, (unsigned int)len);
 	if (ret == 0) {
 	    ret = -1;
 	    if (errstr != NULL) {
@@ -83,8 +83,8 @@ iolog_write(struct iolog_file *iol, const void *buf, size_t len,
     } else
 #endif
     {
-	ret = fwrite(buf, 1, len, iol->fd.f);
-	if (ret == 0) {
+	ret = (ssize_t)fwrite(buf, 1, len, iol->fd.f);
+	if (ret <= 0) {
 	    ret = -1;
 	    if (errstr != NULL)
 		*errstr = strerror(errno);
diff --git a/lib/iolog/regress/iolog_path/check_iolog_path.c b/lib/iolog/regress/iolog_path/check_iolog_path.c
index bb79edcc7..f650b2db9 100644
--- a/lib/iolog/regress/iolog_path/check_iolog_path.c
+++ b/lib/iolog/regress/iolog_path/check_iolog_path.c
@@ -74,7 +74,7 @@ fill_seq(char *str, size_t strsize, void *unused)
 	escape_data.sessid[4], escape_data.sessid[5]);
     if (len < 0)
 	return strsize; /* handle non-standard snprintf() */
-    return len;
+    return (size_t)len;
 }
 
 static size_t
diff --git a/lib/iolog/regress/iolog_timing/check_iolog_timing.c b/lib/iolog/regress/iolog_timing/check_iolog_timing.c
index 915b60473..a29736885 100644
--- a/lib/iolog/regress/iolog_timing/check_iolog_timing.c
+++ b/lib/iolog/regress/iolog_timing/check_iolog_timing.c
@@ -84,7 +84,7 @@ test_parse_delay(int *ntests, int *nerrors)
 	    continue;
 	}
     }
-    (*ntests) += i;
+    (*ntests) += (int)i;
 }
 
 static struct adjust_delay_test {
@@ -124,7 +124,7 @@ test_adjust_delay(int *ntests, int *nerrors)
 	    (*nerrors)++;
 	}
     }
-    (*ntests) += i;
+    (*ntests) += (int)i;
 }
 
 int