Fix theoretical infinite loops in libfuse

2 files changed, 17 insertions, 4 deletions

diff --git a/ChangeLog b/ChangeLog
index 84d92ae..73e02b7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2008-06-10  Miklos Szeredi <miklos@szeredi.hu>
+
+	* Fix theoretical infinite loops in libfuse.  Reported by Szabolcs
+	Szakacsits
+
 2008-05-23  Miklos Szeredi <miklos@szeredi.hu>
 
 	* Fix mounting over symlink.  Reported by Szabolcs Szakacsits
diff --git a/lib/fuse.c b/lib/fuse.c
index 53326f3..519ef04 100644
--- a/lib/fuse.c
+++ b/lib/fuse.c
@@ -442,8 +442,12 @@ static char *add_name(char **buf, unsigned *bufsize, char *s, const char *name)
 		unsigned newbufsize = *bufsize;
 		char *newbuf;
 
-		while (newbufsize < pathlen + len + 1)
-			newbufsize *= 2;
+		while (newbufsize < pathlen + len + 1) {
+			if (newbufsize >= 0x80000000)
+				newbufsize = 0xffffffff;
+			else
+				newbufsize *= 2;
+		}
 
 		newbuf = realloc(*buf, newbufsize);
 		if (newbuf == NULL)
@@ -2364,8 +2368,12 @@ static int extend_contents(struct fuse_dh *dh, unsigned minsize)
 		unsigned newsize = dh->size;
 		if (!newsize)
 			newsize = 1024;
-		while (newsize < minsize)
-			newsize *= 2;
+		while (newsize < minsize) {
+			if (newsize >= 0x80000000)
+				newsize = 0xffffffff;
+			else
+				newsize *= 2;
+		}
 
 		newptr = (char *) realloc(dh->contents, newsize);
 		if (!newptr) {