diff -urN hfs/catalog.c linux-2.6.31.6/fs/hfs/catalog.c
--- a/fs/hfs/catalog.c	2009-11-16 13:29:47.000000000 -0500
+++ b/fs/hfs/catalog.c	2009-11-17 13:08:43.000000000 -0500
@@ -289,6 +289,10 @@
 	err = hfs_brec_find(&src_fd);
 	if (err)
 		goto out;
+	if ((src_fd.entrylength > sizeof(entry))||(src_fd.entrylength < 0)) {
+		err = -EINVAL;
+		goto out;
+		}
 
 	hfs_bnode_read(src_fd.bnode, &entry, src_fd.entryoffset,
 			    src_fd.entrylength);
diff -urN hfs/dir.c linux-2.6.31.6/fs/hfs/dir.c
--- a/fs/hfs/dir.c	2009-11-16 13:29:47.000000000 -0500
+++ b/fs/hfs/dir.c	2009-11-17 13:08:43.000000000 -0500
@@ -82,6 +82,11 @@
 		filp->f_pos++;
 		/* fall through */
 	case 1:
+		if ((fd.entrylength > sizeof(entry)) || (fd.entrylength < 0)) {
+			err = -EINVAL;
+			goto out;
+			}
+
 		hfs_bnode_read(fd.bnode, &entry, fd.entryoffset, fd.entrylength);
 		if (entry.type != HFS_CDR_THD) {
 			printk(KERN_ERR "hfs: bad catalog folder thread\n");
@@ -112,6 +117,12 @@
 			err = -EIO;
 			goto out;
 		}
+		
+		if ((fd.entrylength > sizeof(entry)) || (fd.entrylength < 0)) {
+			err = -EINVAL;
+			goto out;
+			}
+
 		hfs_bnode_read(fd.bnode, &entry, fd.entryoffset, fd.entrylength);
 		type = entry.type;
 		len = hfs_mac2asc(sb, strbuf, &fd.key->cat.CName);
diff -urN hfs/super.c linux-2.6.31.6/fs/hfs/super.c
--- a/fs/hfs/super.c	2009-11-16 13:29:47.000000000 -0500
+++ b/fs/hfs/super.c	2009-11-17 13:08:43.000000000 -0500
@@ -389,6 +389,12 @@
 	hfs_find_init(HFS_SB(sb)->cat_tree, &fd);
 	res = hfs_cat_find_brec(sb, HFS_ROOT_CNID, &fd);
 	if (!res)
+       {
+		if ((fd.entrylength > sizeof(rec))|| (fd.entrylength < 0)) {
+			res =  -EINVAL;
+			goto bail;
+		}
+       }
 		hfs_bnode_read(fd.bnode, &rec, fd.entryoffset, fd.entrylength);
 	if (res) {
 		hfs_find_exit(&fd);
