tool_urlglob: make multiply() bail out on negative values

- Does not work correctly with negative values
- use __builtin_mul_overflow() on gcc

Reported-by: Torben Dury
Closes #12102

diff --git a/src/tool_urlglob.c b/src/tool_urlglob.c
index 69016179deb4b0fab5390c7442ab6a3fb02256e0..72eab82ce0361ac24f1099c6418df4aa6323fc73 100644 (file)
--- a/src/tool_urlglob.c
+++ b/src/tool_urlglob.c
@@ -66,13 +66,22 @@ static CURLcode glob_fixed(struct URLGlob *glob, char *fixed, size_t len)
  */
 static int multiply(curl_off_t *amount, curl_off_t with)
 {
-  curl_off_t sum = *amount * with;
-  if(!with) {
-    *amount = 0;
-    return 0;
+  curl_off_t sum;
+  DEBUGASSERT(*amount >= 0);
+  DEBUGASSERT(with >= 0);
+  if((with <= 0) || (*amount <= 0)) {
+    sum = 0;
+  }
+  else {
+#ifdef __GNUC__
+    if(__builtin_mul_overflow(*amount, with, &sum))
+      return 1;
+#else
+    sum = *amount * with;
+    if(sum/with != *amount)
+      return 1; /* didn't fit, bail out */
+#endif
   }
-  if(sum/with != *amount)
-    return 1; /* didn't fit, bail out */
   *amount = sum;
   return 0;
 }