From 400b6ec1771fd258f1faf906bd47dccca177d1ee Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Fri, 22 Sep 2017 14:24:39 +0200 Subject: file_range: avoid integer overflow when figuring out byte range When trying to bump the value with one and the value is already at max, it causes an integer overflow. Detected by oss-fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3465 Assisted-by: Max Dymond --- lib/file.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'lib/file.c') diff --git a/lib/file.c b/lib/file.c index 82c576f38..7cfdab19f 100644 --- a/lib/file.c +++ b/lib/file.c @@ -165,6 +165,9 @@ static CURLcode file_range(struct connectdata *conn) else { /* X-Y */ totalsize = to-from; + if(totalsize == CURL_OFF_T_MAX) + /* this is too big to increase, so bail out */ + return CURLE_RANGE_ERROR; data->req.maxdownload = totalsize + 1; /* include last byte */ data->state.resume_from = from; DEBUGF(infof(data, "RANGE from %" CURL_FORMAT_CURL_OFF_T -- cgit v1.2.1