From: Miklos Szeredi <miklos@szeredi.hu>
Date: Tue, 10 Jun 2008 18:31:55 +0000 (+0000)
Subject: Fix theoretical infinite loops in libfuse
X-Git-Tag: fuse_2_8_0_pre2~17
X-Git-Url: http://git.maquefel.me/?a=commitdiff_plain;h=9d4a9ea675bcc1ca144101d058804f4fed37e65d;p=qemu-gpiodev%2Flibfuse.git

Fix theoretical infinite loops in libfuse
---

diff --git a/ChangeLog b/ChangeLog
index 84d92ae..73e02b7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2008-06-10  Miklos Szeredi <miklos@szeredi.hu>
+
+	* Fix theoretical infinite loops in libfuse.  Reported by Szabolcs
+	Szakacsits
+
 2008-05-23  Miklos Szeredi <miklos@szeredi.hu>
 
 	* Fix mounting over symlink.  Reported by Szabolcs Szakacsits
diff --git a/lib/fuse.c b/lib/fuse.c
index 53326f3..519ef04 100644
--- a/lib/fuse.c
+++ b/lib/fuse.c
@@ -442,8 +442,12 @@ static char *add_name(char **buf, unsigned *bufsize, char *s, const char *name)
 		unsigned newbufsize = *bufsize;
 		char *newbuf;
 
-		while (newbufsize < pathlen + len + 1)
-			newbufsize *= 2;
+		while (newbufsize < pathlen + len + 1) {
+			if (newbufsize >= 0x80000000)
+				newbufsize = 0xffffffff;
+			else
+				newbufsize *= 2;
+		}
 
 		newbuf = realloc(*buf, newbufsize);
 		if (newbuf == NULL)
@@ -2364,8 +2368,12 @@ static int extend_contents(struct fuse_dh *dh, unsigned minsize)
 		unsigned newsize = dh->size;
 		if (!newsize)
 			newsize = 1024;
-		while (newsize < minsize)
-			newsize *= 2;
+		while (newsize < minsize) {
+			if (newsize >= 0x80000000)
+				newsize = 0xffffffff;
+			else
+				newsize *= 2;
+		}
 
 		newptr = (char *) realloc(dh->contents, newsize);
 		if (!newptr) {