From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 13 Oct 2025 07:45:28 +0000 (+0200)
Subject: libssh: catch a resume point larger than the size
X-Git-Tag: rc-8_17_0-2~93
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6d0fcdf2ed9942ad92665c2b96ab431c8829b53d;p=thirdparty%2Fcurl.git

libssh: catch a resume point larger than the size

As it would otherwise trigger broken math

Reported-by: Joshua Rogers
Closes #19044
---

diff --git a/lib/vssh/libssh.c b/lib/vssh/libssh.c
index 69666c5388..6bb32643af 100644
--- a/lib/vssh/libssh.c
+++ b/lib/vssh/libssh.c
@@ -1239,6 +1239,10 @@ static int myssh_in_UPLOAD_INIT(struct Curl_easy *data,
 
     /* now, decrease the size of the read */
     if(data->state.infilesize > 0) {
+      if(data->state.resume_from > data->state.infilesize) {
+        failf(data, "Resume point beyond size");
+        return myssh_to_ERROR(data, sshc, CURLE_BAD_FUNCTION_ARGUMENT);
+      }
       data->state.infilesize -= data->state.resume_from;
       data->req.size = data->state.infilesize;
       Curl_pgrsSetUploadSize(data, data->state.infilesize);