Version 1.0.40 of pure-FTPd fixes a potential denial of service issue.

From the NEWS file:

 - The process handling a user session could be crashed by trying to
 match a file pattern longer than the maximum length for a path. This
 has been fixed. Upgrading is recommended.

Upstream commit that fixes this:
https://github.com/jedisct1/pure-ftpd/commit/0627004e23a24108785dc1506c5767392b90f807

References:
https://bugs.gentoo.org/show_bug.cgi?id=552254
https://bugzilla.redhat.com/1233267

Fix:
 src/bsd-glob.c
@@ -151,9 +151,6 @@ glob_(const char *pattern, int flags, int (*errfunc)(const char *, int),
     Char *bufnext, *bufend, patbuf[PATH_MAX];
     struct glob_lim limit = { 0, 0, 0 };
 
-    if (strlen(pattern) >= PATH_MAX) {
-        return GLOB_NOMATCH;
-    }
     pglob->gl_maxdepth = maxdepth;
     pglob->gl_maxfiles = maxfiles;
     patnext = (unsigned char *) pattern;
@@ -174,6 +171,9 @@ glob_(const char *pattern, int flags, int (*errfunc)(const char *, int),
         pglob->gl_pathc >= INT_MAX - pglob->gl_offs - 1) {
         return GLOB_NOSPACE;
     }
+    if (strlen(pattern) >= PATH_MAX) {
+        return GLOB_NOMATCH;
+    }    
     bufnext = patbuf;
     bufend = bufnext + PATH_MAX - 1;
     if (flags & GLOB_NOESCAPE) {