Unverified Commit afbdc966 authored by Daniel Stenberg's avatar Daniel Stenberg
Browse files

file_range: avoid integer overflow when figuring out byte range 

When trying to bump the value with one and the value is already at max,
it causes an integer overflow.

Closes #1908
Detected by oss-fuzz:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3465

Assisted-by: Max Dymond
parent b6a90bca

lib/file.c

+3 −0
Original line number Diff line number Diff line
@@ -165,6 +165,9 @@ static CURLcode file_range(struct connectdata *conn) 
    else {

      /* X-Y */

      totalsize = to-from;

      if(totalsize == CURL_OFF_T_MAX)

        /* this is too big to increase, so bail out */

        return CURLE_RANGE_ERROR;

      data->req.maxdownload = totalsize + 1; /* include last byte */

      data->state.resume_from = from;

      DEBUGF(infof(data, "RANGE from %" CURL_FORMAT_CURL_OFF_T