setopt: avoid integer overflows when setting millsecond values

... that are multiplied by 1000 when stored.

For 32 bit long systems, the max value accepted (2147483 seconds) is >
596 hours which is unlikely to ever be set by a legitimate application -
and previously it didn't work either, it just caused undefined behavior.

Also updated the man pages for these timeout options to mention the
return code.

Closes #1938

docs/libcurl/opts/CURLOPT_CONNECTTIMEOUT.3

@@ -5,7 +5,7 @@
 .\" *                            | (__| |_| |  _ <| |___
 .\" *                             \___|\___/|_| \_\_____|
 .\" *
-.\" * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
+.\" * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
 .\" *
 .\" * This software is licensed as described in the file COPYING, which
 .\" * you should have received as part of this distribution. The terms
@@ -58,7 +58,8 @@ if(curl) {
 .SH AVAILABILITY
 Always
 .SH RETURN VALUE
-Returns CURLE_OK
+Returns CURLE_OK. Returns CURLE_BAD_FUNCTION_ARGUMENT if set to a negative
+value or a value that when converted to milliseconds is too large.
 .SH "SEE ALSO"
-.BR CURLOPT_CONNECTTIMEOUT_MS "(3), " 
+.BR CURLOPT_CONNECTTIMEOUT_MS "(3), "
 .BR CURLOPT_TIMEOUT "(3), " CURLOPT_LOW_SPEED_LIMIT "(3), "

docs/libcurl/opts/CURLOPT_FTP_RESPONSE_TIMEOUT.3

@@ -54,7 +54,9 @@ if(curl) {
 .SH AVAILABILITY
 Added in 7.10.8
 .SH RETURN VALUE
-Returns CURLE_OK if FTP is supported, and CURLE_UNKNOWN_OPTION if not.
+Returns CURLE_OK if FTP is supported, and CURLE_UNKNOWN_OPTION if not. Returns
+CURLE_BAD_FUNCTION_ARGUMENT if set to a negative value or a value that when
+converted to milliseconds is too large.
 .SH "SEE ALSO"
 .BR CURLOPT_TIMEOUT "(3), " CURLOPT_CONNECTTIMEOUT "(3), "
 .BR CURLOPT_LOW_SPEED_LIMIT "(3), "

docs/libcurl/opts/CURLOPT_TIMEOUT.3

@@ -5,7 +5,7 @@
 .\" *                            | (__| |_| |  _ <| |___
 .\" *                             \___|\___/|_| \_\_____|
 .\" *
-.\" * Copyright (C) 1998 - 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
+.\" * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
 .\" *
 .\" * This software is licensed as described in the file COPYING, which
 .\" * you should have received as part of this distribution. The terms
@@ -64,7 +64,8 @@ if(curl) {
 .SH AVAILABILITY
 Always
 .SH RETURN VALUE
-Returns CURLE_OK
+Returns CURLE_OK. Returns CURLE_BAD_FUNCTION_ARGUMENT if set to a negative
+value or a value that when converted to milliseconds is too large.
 .SH "SEE ALSO"
-.BR CURLOPT_TIMEOUT_MS "(3), " 
+.BR CURLOPT_TIMEOUT_MS "(3), "
 .BR CURLOPT_CONNECTTIMEOUT "(3), " CURLOPT_LOW_SPEED_LIMIT "(3), "

lib/url.c

@@ -875,7 +875,11 @@ CURLcode Curl_setopt(struct Curl_easy *data, CURLoption option,
      * Option that specifies how quickly an server response must be obtained
      * before it is considered failure. For pingpong protocols.
      */
-    data->set.server_response_timeout = va_arg(param, long) * 1000;
+    arg = va_arg(param, long);
+    if((arg>=0) && (arg < (INT_MAX/1000)))
+      data->set.server_response_timeout = arg * 1000;
+    else
+      return CURLE_BAD_FUNCTION_ARGUMENT;
     break;
   case CURLOPT_TFTP_NO_OPTIONS:
     /*
@@ -1725,7 +1729,11 @@ CURLcode Curl_setopt(struct Curl_easy *data, CURLoption option,
      * The maximum time you allow curl to use for a single transfer
      * operation.
      */
-    data->set.timeout = va_arg(param, long) * 1000L;
+    arg = va_arg(param, long);
+    if((arg>=0) && (arg < (INT_MAX/1000)))
+      data->set.timeout = arg * 1000;
+    else
+      return CURLE_BAD_FUNCTION_ARGUMENT;
     break;
 
   case CURLOPT_TIMEOUT_MS:
@@ -1736,7 +1744,11 @@ CURLcode Curl_setopt(struct Curl_easy *data, CURLoption option,
     /*
      * The maximum time you allow curl to use to connect.
      */
-    data->set.connecttimeout = va_arg(param, long) * 1000L;
+    arg = va_arg(param, long);
+    if((arg>=0) && (arg < (INT_MAX/1000)))
+      data->set.connecttimeout = arg * 1000;
+    else
+      return CURLE_BAD_FUNCTION_ARGUMENT;
     break;
 
   case CURLOPT_CONNECTTIMEOUT_MS: