tool_cb_prg: Fix integer overflow in progress bar

Commit 61faa0b420c236480bc9ef6fd52b4ecc1e0f8d17 fixed the progress bar
width calculation to avoid integer overflow, but failed to account for
the fact that initial_size is initialized to -1 when the file size is
retrieved from the remote on an upload, causing another signed integer
overflow.  Fix by separately checking for this case before the width
calculation.

Closes #3984
Reported-by: Brian Carpenter (Geeknik Labs)
Reviewed-by: Daniel Stenberg <daniel@haxx.se>

1 files changed, 9 insertions, 4 deletions

diff --git a/src/tool_cb_prg.c b/src/tool_cb_prg.c
index e2ee54225..05fe0e636 100644
--- a/src/tool_cb_prg.c
+++ b/src/tool_cb_prg.c
@@ -125,14 +125,19 @@ int tool_progress_cb(void *clientp,
   curl_off_t total;
   curl_off_t point;
 
-  /* expected transfer size */
-  if((CURL_OFF_T_MAX - bar->initial_size) < (dltotal + ultotal))
+  /* Calculate expected transfer size. initial_size can be less than zero
+     when indicating that we are expecting to get the filesize from the
+     remote */
+  if(bar->initial_size < 0 ||
+     ((CURL_OFF_T_MAX - bar->initial_size) < (dltotal + ultotal)))
     total = CURL_OFF_T_MAX;
   else
     total = dltotal + ultotal + bar->initial_size;
 
-  /* we've come this far */
-  if((CURL_OFF_T_MAX - bar->initial_size) < (dlnow + ulnow))
+  /* Calculate the current progress. initial_size can be less than zero when
+     indicating that we are expecting to get the filesize from the remote */
+  if(bar->initial_size < 0 ||
+     ((CURL_OFF_T_MAX - bar->initial_size) < (dlnow + ulnow)))
     point = CURL_OFF_T_MAX;
   else
     point = dlnow + ulnow + bar->initial_size;