vauth/cleartext: fix theoretical integer overflow

Fix theoretical integer overflow in Curl_auth_create_plain_message.

The security impact of the overflow was discussed on hackerone. We
agreed this is more of a theoretical vulnerability, as the integer
overflow would only be triggerable on systems using 32-bits size_t with
over 4GB of available memory space for the process.

Closes #5391

diff --git a/lib/vauth/cleartext.c b/lib/vauth/cleartext.c
index 6f452c16942242359c3d1ed538cfd9b911bc9fd2..001f6ea9a91bc58acf4e71d04c0527aa5b9ee046 100644 (file)
--- a/lib/vauth/cleartext.c
+++ b/lib/vauth/cleartext.c
@@ -81,7 +81,8 @@ CURLcode Curl_auth_create_plain_message(struct Curl_easy *data,
   plen = strlen(passwd);
 
   /* Compute binary message length. Check for overflows. */
-  if(((zlen + clen) > SIZE_T_MAX/4) || (plen > (SIZE_T_MAX/2 - 2)))
+  if((zlen > SIZE_T_MAX/4) || (clen > SIZE_T_MAX/4) ||
+     (plen > (SIZE_T_MAX/2 - 2)))
     return CURLE_OUT_OF_MEMORY;
   plainlen = zlen + clen + plen + 2;