--- rsync-3.0.0/util.c	2008-03-01 21:01:41.000000000 +0100
+++ rsync-3.0.0.patched/util.c	2008-04-08 07:32:01.000000000 +0200
@@ -1476,7 +1476,9 @@
 			new_size += incr;
 		else
 			new_size *= 2;
-		new_ptr = realloc_array(lp->items, char, new_size * item_size);
+		if (new_size < lp->malloced)
+			overflow_exit("expand_item_list");
+		new_ptr = _realloc_array(lp->items, item_size, new_size);
 		if (verbose >= 4) {
 			rprintf(FINFO, "[%s] expand %s to %.0f bytes, did%s move\n",
 				who_am_i(), desc, (double)new_size * item_size,