>From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Luca Kellermann <mailto.luca.kellermann@gmail.com>
Date: Mon, 21 Jul 2025 01:29:52 +0200
Subject: [PATCH v3 4/6] scandir: report ENOMEM and EOVERFLOW

if the loop is exited because len * sizeof *names does not fit into
size_t, errno should be explicitly set to ENOMEM. previously, the
behavior differed depending on which value errno happened to have at
this point.

if cnt reached a value > INT_MAX, scandir() returned an incorrect
value. EOVERFLOW should be reported instead.

it's unlikely that these errors can actually occur. it may not even
be possible to have directories with that many entries, and even then
malloc() or realloc() will probably fail long before len or cnt reach
those large values.
---
 src/dirent/scandir.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/dirent/scandir.c b/src/dirent/scandir.c
index 1807c03447fec5de5bf5ace633a85faed041c45d..f3c8c14ce68a04b39a152e4d25d8c067a5aa593e 100644
--- a/src/dirent/scandir.c
+++ b/src/dirent/scandir.c
@@ -1,4 +1,5 @@
 #include <dirent.h>
+#include <limits.h>
 #include <pthread.h>
 #include <string.h>
 #include <stdlib.h>
@@ -33,9 +34,16 @@ int scandir(const char *path, struct dirent ***res,
 			errno = old_errno;
 			if (!sel(de)) continue;
 		}
+		if (cnt >= INT_MAX) {
+			errno = EOVERFLOW;
+			break;
+		}
 		if (cnt >= len) {
 			len = 2*len+1;
-			if (len > SIZE_MAX/sizeof *names) break;
+			if (len > SIZE_MAX/sizeof *names) {
+				errno = ENOMEM;
+				break;
+			}
 			tmp = realloc(names, len * sizeof *names);
 			if (!tmp) break;
 			names = tmp;