--- a/util.c

+++ b/util.c

@@ -1329,7 +1329,7 @@ void *_new_array(unsigned long num, unsigned int size, int use_calloc)

 	return use_calloc ? calloc(num, size) : malloc(num * size);

 }

-void *_realloc_array(void *ptr, unsigned int size, unsigned long num)

+void *_realloc_array(void *ptr, unsigned int size, size_t num)

 {

 	if (num >= MALLOC_MAX/size)

 		return NULL;

@@ -1550,7 +1550,10 @@ void *expand_item_list(item_list *lp, size_t item_size,

 			new_size += incr;

 		else

 			new_size *= 2;

-		new_ptr = realloc_array(lp->items, char, new_size * item_size);

+		if (new_size < lp->malloced)

+			overflow_exit("expand_item_list");

+		/* Using _realloc_array() lets us pass the size, not a type. */

+		new_ptr = _realloc_array(lp->items, item_size, new_size);

 		if (verbose >= 4) {

 			rprintf(FINFO, "[%s] expand %s to %.0f bytes, did%s move\n",

 				who_am_i(), desc, (double)new_size * item_size,

diff -uPr rsync-2.6.9.orig/proto.h rsync-2.6.9/proto.h

--- rsync-2.6.9.orig/proto.h	2008-04-08 16:44:42.000000000 -0400

+++ rsync-2.6.9/proto.h	2008-04-09 10:23:52.000000000 -0400

@@ -322,7 +322,7 @@

 int cmp_time(time_t file1, time_t file2);

 int _Insure_trap_error(int a1, int a2, int a3, int a4, int a5, int a6);

 void *_new_array(unsigned int size, unsigned long num);

-void *_realloc_array(void *ptr, unsigned int size, unsigned long num);

+void *_realloc_array(void *ptr, unsigned int size, size_t num);

 const char *find_filename_suffix(const char *fn, int fn_len, int *len_ptr);

 uint32 fuzzy_distance(const char *s1, int len1, const char *s2, int len2);

 struct bitbag *bitbag_create(int max_ndx);