file_range: avoid integer overflow when figuring out byte rangebagder/file-range-overflow

When trying to bump the value with one and the value is already at max, it causes an integer overflow. Detected by oss-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3465 Assisted-by: Max Dymond
author: Daniel Stenberg <daniel@haxx.se> 2017-09-22 14:24:39 +0200
committer: Daniel Stenberg <daniel@haxx.se> 2017-09-22 14:24:39 +0200
commit: 400b6ec1771fd258f1faf906bd47dccca177d1ee (patch)
tree: cf79a47002cf18141aa5b86764227b3090eca70c
parent: b8e0fe19ec3bd3b673a14043a4b5e656d9c26d06 (diff)
download: curl-bagder/file-range-overflow.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/lib/file.c b/lib/file.c
index 82c576f38..7cfdab19f 100644
--- a/lib/file.c
+++ b/lib/file.c
@@ -165,6 +165,9 @@ static CURLcode file_range(struct connectdata *conn)
     else {
       /* X-Y */
       totalsize = to-from;
+      if(totalsize == CURL_OFF_T_MAX)
+        /* this is too big to increase, so bail out */
+        return CURLE_RANGE_ERROR;
       data->req.maxdownload = totalsize + 1; /* include last byte */
       data->state.resume_from = from;
       DEBUGF(infof(data, "RANGE from %" CURL_FORMAT_CURL_OFF_T
author	Daniel Stenberg <daniel@haxx.se>	2017-09-22 14:24:39 +0200
committer	Daniel Stenberg <daniel@haxx.se>	2017-09-22 14:24:39 +0200
commit	400b6ec1771fd258f1faf906bd47dccca177d1ee (patch)
tree	cf79a47002cf18141aa5b86764227b3090eca70c
parent	b8e0fe19ec3bd3b673a14043a4b5e656d9c26d06 (diff)
download	curl-bagder/file-range-overflow.tar.gz