erofs: Bound recursion depth in populate_directory to prevent stack overflow

A crafted EROFS image with directory cycles can cause unbounded recursion
in populate_directory(), leading to a stack overflow. Add a depth parameter
and enforce a maximum of PATH_MAX / 2 (2048) levels, matching the
theoretical limit for valid filesystem paths.

Found by cargo-fuzz.

Assisted-by: OpenCode (Claude Opus 4)
Signed-off-by: Colin Walters <walters@verbum.org>

Author: cgwalters

crates/composefs/src/erofs/reader.rs

@@ -1007,21 +1007,30 @@ fn dir_entries<'a>(
     Ok(entries)
 }
 
+/// Maximum directory nesting depth. PATH_MAX is 4096 on Linux, and directory names
+/// must be at least 2 bytes (1 char + separator), so the theoretical max is PATH_MAX / 2.
+const MAX_DIRECTORY_DEPTH: usize = 4096 / 2;
+
 /// Recursively populate a `tree::Directory` from an erofs directory inode.
 fn populate_directory<ObjectID: FsVerityHashValue>(
     img: &Image,
     dir_inode: &InodeType,
     dir: &mut tree::Directory<ObjectID>,
     hardlinks: &mut HashMap<u64, Rc<tree::Leaf<ObjectID>>>,
+    depth: usize,
 ) -> anyhow::Result<()> {
+    if depth >= MAX_DIRECTORY_DEPTH {
+        return Err(ErofsReaderError::DepthExceeded.into());
+    }
+
     for (name_bytes, nid) in dir_entries(img, dir_inode)? {
         let name = OsStr::from_bytes(name_bytes);
         let child_inode = img.inode(nid)?;
 
         if child_inode.mode().is_dir() {
             let child_stat = stat_from_inode_for_tree(img, &child_inode)?;
             let mut child_dir = tree::Directory::new(child_stat);
-            populate_directory(img, &child_inode, &mut child_dir, hardlinks)
+            populate_directory(img, &child_inode, &mut child_dir, hardlinks, depth + 1)
                 .with_context(|| format!("reading directory {:?}", name))?;
             dir.insert(name, tree::Inode::Directory(Box::new(child_dir)));
         } else {
@@ -1090,7 +1099,7 @@ pub fn erofs_to_filesystem<ObjectID: FsVerityHashValue>(
 
     let mut hardlinks: HashMap<u64, Rc<tree::Leaf<ObjectID>>> = HashMap::new();
 
-    populate_directory(&img, &root_inode, &mut fs.root, &mut hardlinks)
+    populate_directory(&img, &root_inode, &mut fs.root, &mut hardlinks, 0)
         .context("reading root directory")?;
 
     Ok(fs)