Fix theoretical infinite loops in libfuse

diff --git a/ChangeLog b/ChangeLog
index 84d92ae61d32fd87ccaeba19e94b25109d398984..73e02b789ee28096207d0ea51cf34fc2790ab03c 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2008-06-10  Miklos Szeredi <miklos@szeredi.hu>
+
+       * Fix theoretical infinite loops in libfuse.  Reported by Szabolcs
+       Szakacsits
+
 2008-05-23  Miklos Szeredi <miklos@szeredi.hu>
 
        * Fix mounting over symlink.  Reported by Szabolcs Szakacsits

diff --git a/lib/fuse.c b/lib/fuse.c
index 53326f382bd72bc8ef15909cdc927d2c9002ee35..519ef04be42f6b5928953874238b6b9e3be02b8f 100644 (file)
--- a/lib/fuse.c
+++ b/lib/fuse.c
@@ -442,8 +442,12 @@ static char *add_name(char **buf, unsigned *bufsize, char *s, const char *name)
                unsigned newbufsize = *bufsize;
                char *newbuf;
 
-               while (newbufsize < pathlen + len + 1)
-                       newbufsize *= 2;
+               while (newbufsize < pathlen + len + 1) {
+                       if (newbufsize >= 0x80000000)
+                               newbufsize = 0xffffffff;
+                       else
+                               newbufsize *= 2;
+               }
 
                newbuf = realloc(*buf, newbufsize);
                if (newbuf == NULL)
@@ -2364,8 +2368,12 @@ static int extend_contents(struct fuse_dh *dh, unsigned minsize)
                unsigned newsize = dh->size;
                if (!newsize)
                        newsize = 1024;
-               while (newsize < minsize)
-                       newsize *= 2;
+               while (newsize < minsize) {
+                       if (newsize >= 0x80000000)
+                               newsize = 0xffffffff;
+                       else
+                               newsize *= 2;
+               }
 
                newptr = (char *) realloc(dh->contents, newsize);
                if (!newptr) {