diff options
author | Daniel Stenberg <daniel@haxx.se> | 2017-09-22 14:24:39 +0200 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2017-09-22 14:24:39 +0200 |
commit | 400b6ec1771fd258f1faf906bd47dccca177d1ee (patch) | |
tree | cf79a47002cf18141aa5b86764227b3090eca70c | |
parent | b8e0fe19ec3bd3b673a14043a4b5e656d9c26d06 (diff) | |
download | curl-bagder/file-range-overflow.tar.gz |
file_range: avoid integer overflow when figuring out byte rangebagder/file-range-overflow
When trying to bump the value with one and the value is already at max,
it causes an integer overflow.
Detected by oss-fuzz:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3465
Assisted-by: Max Dymond
-rw-r--r-- | lib/file.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/lib/file.c b/lib/file.c index 82c576f38..7cfdab19f 100644 --- a/lib/file.c +++ b/lib/file.c @@ -165,6 +165,9 @@ static CURLcode file_range(struct connectdata *conn) else { /* X-Y */ totalsize = to-from; + if(totalsize == CURL_OFF_T_MAX) + /* this is too big to increase, so bail out */ + return CURLE_RANGE_ERROR; data->req.maxdownload = totalsize + 1; /* include last byte */ data->state.resume_from = from; DEBUGF(infof(data, "RANGE from %" CURL_FORMAT_CURL_OFF_T |