summaryrefslogtreecommitdiff
path: root/lib/file.c
diff options
context:
space:
mode:
authorDaniel Stenberg <daniel@haxx.se>2017-09-22 14:24:39 +0200
committerDaniel Stenberg <daniel@haxx.se>2017-09-23 18:21:15 +0200
commitafbdc96638a769d9bee8579d8b70f54537f5e891 (patch)
tree05506971e775dcd3e2bce2ef2c9d05aee18b17fc /lib/file.c
parentb6a90bca335b08971371fbceeae694d970aebcb6 (diff)
downloadcurl-afbdc96638a769d9bee8579d8b70f54537f5e891.tar.gz
file_range: avoid integer overflow when figuring out byte range
When trying to bump the value with one and the value is already at max, it causes an integer overflow. Closes #1908 Detected by oss-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3465 Assisted-by: Max Dymond
Diffstat (limited to 'lib/file.c')
-rw-r--r--lib/file.c3
1 files changed, 3 insertions, 0 deletions
diff --git a/lib/file.c b/lib/file.c
index 82c576f38..7cfdab19f 100644
--- a/lib/file.c
+++ b/lib/file.c
@@ -165,6 +165,9 @@ static CURLcode file_range(struct connectdata *conn)
else {
/* X-Y */
totalsize = to-from;
+ if(totalsize == CURL_OFF_T_MAX)
+ /* this is too big to increase, so bail out */
+ return CURLE_RANGE_ERROR;
data->req.maxdownload = totalsize + 1; /* include last byte */
data->state.resume_from = from;
DEBUGF(infof(data, "RANGE from %" CURL_FORMAT_CURL_OFF_T