From 6df5f35e6ac5f0f1adf7e5c7bf4bd2ec87b9d4bb Mon Sep 17 00:00:00 2001 From: Daniel Gustafsson Date: Mon, 10 Jun 2019 09:32:30 +0200 Subject: [PATCH] tool_cb_prg: Fix integer overflow in progress bar Commit 61faa0b420c236480bc9ef6fd52b4ecc1e0f8d17 fixed the progress bar width calculation to avoid integer overflow, but failed to account for the fact that initial_size is initialized to -1 when the file size is retrieved from the remote on an upload, causing another signed integer overflow. Fix by separately checking for this case before the width calculation. Closes #3984 Reported-by: Brian Carpenter (Geeknik Labs) Reviewed-by: Daniel Stenberg --- src/tool_cb_prg.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/src/tool_cb_prg.c b/src/tool_cb_prg.c index e2ee54225..05fe0e636 100644 --- a/src/tool_cb_prg.c +++ b/src/tool_cb_prg.c @@ -125,14 +125,19 @@ int tool_progress_cb(void *clientp, curl_off_t total; curl_off_t point; - /* expected transfer size */ - if((CURL_OFF_T_MAX - bar->initial_size) < (dltotal + ultotal)) + /* Calculate expected transfer size. initial_size can be less than zero + when indicating that we are expecting to get the filesize from the + remote */ + if(bar->initial_size < 0 || + ((CURL_OFF_T_MAX - bar->initial_size) < (dltotal + ultotal))) total = CURL_OFF_T_MAX; else total = dltotal + ultotal + bar->initial_size; - /* we've come this far */ - if((CURL_OFF_T_MAX - bar->initial_size) < (dlnow + ulnow)) + /* Calculate the current progress. initial_size can be less than zero when + indicating that we are expecting to get the filesize from the remote */ + if(bar->initial_size < 0 || + ((CURL_OFF_T_MAX - bar->initial_size) < (dlnow + ulnow))) point = CURL_OFF_T_MAX; else point = dlnow + ulnow + bar->initial_size;