From 584d0121c353ed855115c39f6cbc009854018029 Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Fri, 3 Jun 2016 11:26:20 +0200
Subject: [PATCH] tool_urlglob: fix off-by-one error in glob_parse()

... causing SIGSEGV while parsing URL with too many globs.
Minimal example:

$ curl $(for i in $(seq 101); do printf '{a}'; done)

Reported-by: Romain Coltel
Bug: https://bugzilla.redhat.com/1340757
---
 RELEASE-NOTES      | 2 ++
 src/tool_urlglob.c | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 6cdd0e725..e20319c2a 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -19,6 +19,7 @@ This release includes the following bugfixes:
  o URL parser: allow URLs to use one, two or three slashes [6]
  o curl: fix -q [regression] [7]
  o openssl: Use correct buffer sizes for error messages [8]
+ o curl: fix SIGSEGV while parsing URL with too many globs [9]
 
 This release includes the following known bugs:
 
@@ -43,3 +44,4 @@ References to bug reports and discussions on issues:
  [6] = https://curl.haxx.se/bug/?i=791
  [7] = https://curl.haxx.se/bug/?i=842
  [8] = https://curl.haxx.se/bug/?i=844
+ [9] = https://bugzilla.redhat.com/1340757
diff --git a/src/tool_urlglob.c b/src/tool_urlglob.c
index 70d17fed1..a357b8b56 100644
--- a/src/tool_urlglob.c
+++ b/src/tool_urlglob.c
@@ -401,7 +401,7 @@ static CURLcode glob_parse(URLGlob *glob, char *pattern,
       }
     }
 
-    if(++glob->size > GLOB_PATTERN_NUM)
+    if(++glob->size >= GLOB_PATTERN_NUM)
       return GLOBERROR("too many globs", pos, CURLE_URL_MALFORMAT);
   }
   return res;