From 6feab338aed1ad390ba4b0042f0490c7e317c7e3 Mon Sep 17 00:00:00 2001
From: Jan Engelhardt <jengelh@inai.de>
Date: Tue, 3 Jul 2012 03:28:50 +0200
Subject: bindfs: avoid crash due to too-short allocation
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

pathconf() can return negative values to indicate an error. Using the
result of pathconf naïvely in arithmetic is therefore inappropriate.
---
 src/bindfs.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

(limited to 'src')

diff --git a/src/bindfs.c b/src/bindfs.c
index ded13be..48b732c 100644
--- a/src/bindfs.c
+++ b/src/bindfs.c
@@ -54,6 +54,7 @@
 #include <assert.h>
 #include <pwd.h>
 #include <grp.h>
+#include <limits.h>
 #ifdef HAVE_SETXATTR
 #include <sys/xattr.h>
 #endif
@@ -399,9 +400,13 @@ static int bindfs_readdir(const char *path, void *buf, fuse_fill_dir_t filler,
     struct dirent *de;
     struct stat st;
     int result = 0;
-    
-    de_buf = malloc(offsetof(struct dirent, d_name) + pathconf(path, _PC_NAME_MAX) + 1);
-    
+    long pc_ret;
+
+    pc_ret = pathconf(path, _PC_NAME_MAX);
+    if (pc_ret < 0)
+        pc_ret = NAME_MAX; /* or scream and abort()? */
+    de_buf = malloc(offsetof(struct dirent, d_name) + pc_ret + 1);
+
     seekdir(dp, offset);
     while (1) {
         result = readdir_r(dp, de_buf, &de);
-- 
cgit v1.2.3