Subject: Re: lib/36464: scandir(3) corrupts heap when run on ZFS directories
To: None <lib-bug-people@netbsd.org, gnats-admin@netbsd.org,>
From: Jared D. McNeill <jmcneill@invisible.ca>
List: netbsd-bugs
Date: 06/20/2007 20:05:04
The following reply was made to PR lib/36464; it has been noted by GNATS.
From: "Jared D. McNeill" <jmcneill@invisible.ca>
To: gnats-bugs@NetBSD.org
Cc: lib-bug-people@netbsd.org, gnats-admin@netbsd.org,
netbsd-bugs@netbsd.org
Subject: Re: lib/36464: scandir(3) corrupts heap when run on ZFS directories
Date: Wed, 20 Jun 2007 16:02:39 -0400
I just ran into a similar issue with ntfs-3g/refuse/puffs on -
current. Does the following patch resolve your issue?
Cheers,
Jared
--- scandir.c.orig 2007-06-20 11:00:57.000000000 -0400
+++ scandir.c 2007-06-20 11:06:11.000000000 -0400
@@ -80,6 +80,8 @@
* and dividing it by a multiple of the minimum size entry.
*/
arraysz = (size_t)(stb.st_size / 24);
+ if (arraysz == 0)
+ arraysz = 1;
names = malloc(arraysz * sizeof(struct dirent *));
if (names == NULL)
goto bad;
@@ -94,9 +96,13 @@
* realloc the maximum size.
*/
if (nitems >= arraysz) {
+ size_t growth;
if (fstat(dirp->dd_fd, &stb) < 0)
goto bad2; /* just might have grown */
- arraysz = (size_t)(stb.st_size / 12);
+ growth = (size_t)(stb.st_size / 12);
+ if (growth == 0)
+ growth = 1;
+ arraysz += growth;
newnames = realloc(names,
arraysz * sizeof(struct dirent *));
if (newnames == NULL)