1
0
mirror of https://github.com/moparisthebest/curl synced 2024-12-21 23:58:49 -05:00

file_range: avoid integer overflow when figuring out byte range

When trying to bump the value with one and the value is already at max,
it causes an integer overflow.

Closes #1908
Detected by oss-fuzz:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3465

Assisted-by: Max Dymond
This commit is contained in:
Daniel Stenberg 2017-09-22 14:24:39 +02:00
parent b6a90bca33
commit afbdc96638
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2

View File

@ -165,6 +165,9 @@ static CURLcode file_range(struct connectdata *conn)
else { else {
/* X-Y */ /* X-Y */
totalsize = to-from; totalsize = to-from;
if(totalsize == CURL_OFF_T_MAX)
/* this is too big to increase, so bail out */
return CURLE_RANGE_ERROR;
data->req.maxdownload = totalsize + 1; /* include last byte */ data->req.maxdownload = totalsize + 1; /* include last byte */
data->state.resume_from = from; data->state.resume_from = from;
DEBUGF(infof(data, "RANGE from %" CURL_FORMAT_CURL_OFF_T DEBUGF(infof(data, "RANGE from %" CURL_FORMAT_CURL_OFF_T