Fix a variable potential wrapping in add_buffer() when using absolutely

huge send buffer sizes

CHANGES

@@ -6,6 +6,10 @@
 
                                   Changelog
 
+Yang Tse (14 Nov 2007)
+- Fix a variable potential wrapping in add_buffer() when using absolutely
+  huge send buffer sizes.
+
 Daniel S (13 Nov 2007)
 - Fixed a remaining problem with doing SFTP directory listings on a re-used
   persistent connection. Mentioned by Immanuel Gregoire on the mailing list.

RELEASE-NOTES

@@ -20,6 +20,7 @@ This release includes the following bugfixes:
  o curl.h version 7.17.1 problem when building C++ apps with MSVC
  o SFTP and SCP use persistent connections
  o segfault on bad URL
+ o variable wrapping when using absolutely huge send buffer sizes
 
 This release includes the following known bugs:
 

lib/http.c

@@ -1083,9 +1083,28 @@ CURLcode add_buffer(send_buffer *in, const void *inptr, size_t size)
   char *new_rb;
   size_t new_size;
 
+  if(~size < in->size_used) {
+    /* If resulting used size of send buffer would wrap size_t, cleanup
+       the whole buffer and return error. Otherwise the required buffer
+       size will fit into a single allocatable memory chunk */
+    Curl_safefree(in->buffer);
+    free(in);
+    return CURLE_OUT_OF_MEMORY;
+  }
+
   if(!in->buffer ||
      ((in->size_used + size) > (in->size_max - 1))) {
-    new_size = (in->size_used+size)*2;
+
+    /* If current buffer size isn't enough to hold the result, use a
+       buffer size that doubles the required size. If this new size
+       would wrap size_t, then just use the largest possible one */
+
+    if((size > (size_t)-1/2) || (in->size_used > (size_t)-1/2) ||
+       (~(size*2) < (in->size_used*2)))
+      new_size = (size_t)-1;
+    else
+      new_size = (in->size_used+size)*2;
+
     if(in->buffer)
       /* we have a buffer, enlarge the existing one */
       new_rb = (char *)realloc(in->buffer, new_size);