The glob limit to only allow 128 stat calls seems rather low. We allow 16384 readdir calls, by comparison. We also have a limit on the amount of memory used, which effectively caps stats too. Why 2048? I have 1435 files in /usr/local/bin and I think even a limited glob should be able to list them all.
For that matter, failed stats aren't much cheaper than successful stats, so we should probably do the counting before stat, not after. Index: glob.3 =================================================================== RCS file: /home/tedu/cvs/src/lib/libc/gen/glob.3,v retrieving revision 1.29 diff -u -p -r1.29 glob.3 --- glob.3 8 Oct 2010 21:48:42 -0000 1.29 +++ glob.3 18 Jan 2012 16:21:23 -0000 @@ -269,7 +269,7 @@ Limit the amount of memory used to store .Li 64K , the number of .Xr stat 2 -calls to 128, and the number of +calls to 2048, and the number of .Xr readdir 3 calls to 16K. This option should be set for programs that can be coerced to a denial of Index: glob.c =================================================================== RCS file: /home/tedu/cvs/src/lib/libc/gen/glob.c,v retrieving revision 1.38 diff -u -p -r1.38 glob.c --- glob.c 22 Sep 2011 06:27:29 -0000 1.38 +++ glob.c 18 Jan 2012 16:24:52 -0000 @@ -123,7 +123,7 @@ typedef char Char; #define ismeta(c) (((c)&M_QUOTE) != 0) #define GLOB_LIMIT_MALLOC 65536 -#define GLOB_LIMIT_STAT 128 +#define GLOB_LIMIT_STAT 2048 #define GLOB_LIMIT_READDIR 16384 /* Limit of recursion during matching attempts. */ @@ -628,8 +628,6 @@ glob2(Char *pathbuf, Char *pathbuf_last, for (anymeta = 0;;) { if (*pattern == EOS) { /* End of pattern? */ *pathend = EOS; - if (g_lstat(pathbuf, &sb, pglob)) - return(0); if ((pglob->gl_flags & GLOB_LIMIT) && limitp->glim_stat++ >= GLOB_LIMIT_STAT) { @@ -638,6 +636,8 @@ glob2(Char *pathbuf, Char *pathbuf_last, *pathend = EOS; return(GLOB_NOSPACE); } + if (g_lstat(pathbuf, &sb, pglob)) + return(0); if (((pglob->gl_flags & GLOB_MARK) && pathend[-1] != SEP) && (S_ISDIR(sb.st_mode) ||