Subject: Re: lib/36464: scandir(3) corrupts heap when run on ZFS directories
To: None <gnats-bugs@NetBSD.org>
From: Jared D. McNeill <jmcneill@invisible.ca>
List: netbsd-bugs
Date: 06/20/2007 16:02:39
I just ran into a similar issue with ntfs-3g/refuse/puffs on - 
current. Does the following patch resolve your issue?

Cheers,
Jared

--- scandir.c.orig	2007-06-20 11:00:57.000000000 -0400
+++ scandir.c	2007-06-20 11:06:11.000000000 -0400
@@ -80,6 +80,8 @@
	 * and dividing it by a multiple of the minimum size entry.
	 */
	arraysz = (size_t)(stb.st_size / 24);
+	if (arraysz == 0)
+		arraysz = 1;
	names = malloc(arraysz * sizeof(struct dirent *));
	if (names == NULL)
		goto bad;
@@ -94,9 +96,13 @@
		 * realloc the maximum size.
		 */
		if (nitems >= arraysz) {
+			size_t growth;
			if (fstat(dirp->dd_fd, &stb) < 0)
				goto bad2;	/* just might have grown */
-			arraysz = (size_t)(stb.st_size / 12);
+			growth = (size_t)(stb.st_size / 12);
+			if (growth == 0)
+				growth = 1;
+			arraysz += growth;
			newnames = realloc(names,
			    arraysz * sizeof(struct dirent *));
			if (newnames == NULL)