#4 stack overflow / endless recursion on malformed input

[Hanno Böck]

While fuzzing cramfsck I found a bug where the functions do_directory and expand_fs would call each other recursively forever, leading to a stack overflow. Sample attached.

Stack trace with address sanitizer:
==18205==ERROR: AddressSanitizer: stack-overflow on address 0x7ffc0667aff8 (pc 0x00000043b199 bp 0x000000024920 sp 0x7ffc0667b000 T0)
#0 0x43b198 in __sanitizer::LargeMmapAllocator<__asan::AsanMapUnmapCallback>::Allocate(__sanitizer::AllocatorStats, unsigned long, unsigned long) (/mnt/ram/cram/cramfsck+0x43b198)
#1 0x43b0bb in __sanitizer::CombinedAllocator<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap<17ul, 128ul, 16ul>, __asan::AsanMapUnmapCallback>, __sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap<17ul, 128ul, 16ul>, __asan::AsanMapUnmapCallback> >, __sanitizer::LargeMmapAllocator<__asan::AsanMapUnmapCallback> >::Allocate(__sanitizer::SizeClassAllocatorLocalCache<__sanitizer::SizeClassAllocator64<105553116266496ul, 4398046511104ul, 0ul, __sanitizer::SizeClassMap<17ul, 128ul, 16ul>, __asan::AsanMapUnmapCallback> >, unsigned long, unsigned long, bool, bool) (/mnt/ram/cram/cramfsck+0x43b0bb)
#2 0x4382f4 in __asan::Allocator::Allocate(unsigned long, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType, bool) (/mnt/ram/cram/cramfsck+0x4382f4)
#3 0x4bd98c in __interceptor_malloc (/mnt/ram/cram/cramfsck+0x4bd98c)
#4 0x4defff in do_directory /f/cramfs-1.1/cramfsck.c:435:18
#5 0x4defff in expand_fs /f/cramfs-1.1/cramfsck.c:616
#6 0x4df504 in do_directory /f/cramfs-1.1/cramfsck.c:477:3
#7 0x4df504 in expand_fs /f/cramfs-1.1/cramfsck.c:616
#8 0x4df504 in do_directory /f/cramfs-1.1/cramfsck.c:477:3
#9 0x4df504 in expand_fs /f/cramfs-1.1/cramfsck.c:616
#10 0x4df504 in do_directory /f/cramfs-1.1/cramfsck.c:477:3
[this goes on for hundreds of lines]