From e979832dda71deeea092c31046f543fbeec13c5c Mon Sep 17 00:00:00 2001
From: Alexandre Julliard <julliard@winehq.org>
Date: Wed, 8 Feb 2006 15:06:42 +0100
Subject: [PATCH] server: Fixed handling of inotify record length.

---
 server/change.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/server/change.c b/server/change.c
index c35a82cf67e..e32997eb46a 100644
--- a/server/change.c
+++ b/server/change.c
@@ -416,7 +416,8 @@ static void inotify_do_change_notify( struct dir *dir, struct inotify_event *ie
 
     if (dir->want_data)
     {
-        record = malloc( sizeof (*record) + ie->len - 1 ) ;
+        size_t len = strlen(ie->name);
+        record = malloc( offsetof(struct change_record, name[len]) );
         if (!record)
             return;
 
@@ -426,8 +427,8 @@ static void inotify_do_change_notify( struct dir *dir, struct inotify_event *ie
             record->action = FILE_ACTION_REMOVED;
         else
             record->action = FILE_ACTION_MODIFIED;
-        memcpy( record->name, ie->name, ie->len );
-        record->len = strlen( ie->name );
+        memcpy( record->name, ie->name, len );
+        record->len = len;
 
         list_add_tail( &dir->change_records, &record->entry );
     }
@@ -456,13 +457,14 @@ static void inotify_poll_event( struct fd *fd, int event )
         return;
     }
 
-    for( ofs = 0; ofs < r; )
+    for( ofs = 0; ofs < r - offsetof(struct inotify_event, name); )
     {
         ie = (struct inotify_event*) &buffer[ofs];
         if (!ie->len)
             break;
+        ofs += offsetof( struct inotify_event, name[ie->len] );
+        if (ofs > r) break;
         inotify_do_change_notify( dir, ie );
-        ofs += (sizeof (*ie) + ie->len - 1);
     }
 }