From 3f8a727611b9fb048c407ee865e6e3a3f3150c9c Mon Sep 17 00:00:00 2001
From: Max Dymond <cmeister2@gmail.com>
Date: Mon, 29 Jan 2018 10:12:40 +0000
Subject: Curl_range: add check to ensure "from <= to"

---
 lib/curl_range.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/lib/curl_range.c b/lib/curl_range.c
index e24215f4d..849e12fd3 100644
--- a/lib/curl_range.c
+++ b/lib/curl_range.c
@@ -36,7 +36,6 @@
 CURLcode Curl_range(struct connectdata *conn)
 {
   curl_off_t from, to;
-  curl_off_t totalsize = -1;
   char *ptr;
   char *ptr2;
   struct Curl_easy *data = conn->data;
@@ -67,10 +66,16 @@ CURLcode Curl_range(struct connectdata *conn)
     }
     else {
       /* X-Y */
-      totalsize = to-from;
+      curl_off_t totalsize;
+
+      /* Ensure the range is sensible - to should follow from. */
+      if(from > to)
+        return CURLE_RANGE_ERROR;
+
+      totalsize = to - from;
       if(totalsize == CURL_OFF_T_MAX)
-        /* this is too big to increase, so bail out */
         return CURLE_RANGE_ERROR;
+
       data->req.maxdownload = totalsize + 1; /* include last byte */
       data->state.resume_from = from;
       DEBUGF(infof(data, "RANGE from %" CURL_FORMAT_CURL_OFF_T
-- 
cgit v1.2.1