From: Daniel Stenberg <daniel@haxx.se>
Date: Thu, 12 Oct 2023 22:13:23 +0000 (+0200)
Subject: tool_urlglob: make multiply() bail out on negative values
X-Git-Tag: curl-8_5_0~257
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8a45a495afbe88b5a743b9c4724458af483e2ea8;p=thirdparty%2Fcurl.git

tool_urlglob: make multiply() bail out on negative values

- Does not work correctly with negative values
- use __builtin_mul_overflow() on gcc

Reported-by: Torben Dury
Closes #12102
---

diff --git a/src/tool_urlglob.c b/src/tool_urlglob.c
index 69016179de..72eab82ce0 100644
--- a/src/tool_urlglob.c
+++ b/src/tool_urlglob.c
@@ -66,13 +66,22 @@ static CURLcode glob_fixed(struct URLGlob *glob, char *fixed, size_t len)
  */
 static int multiply(curl_off_t *amount, curl_off_t with)
 {
-  curl_off_t sum = *amount * with;
-  if(!with) {
-    *amount = 0;
-    return 0;
+  curl_off_t sum;
+  DEBUGASSERT(*amount >= 0);
+  DEBUGASSERT(with >= 0);
+  if((with <= 0) || (*amount <= 0)) {
+    sum = 0;
+  }
+  else {
+#ifdef __GNUC__
+    if(__builtin_mul_overflow(*amount, with, &sum))
+      return 1;
+#else
+    sum = *amount * with;
+    if(sum/with != *amount)
+      return 1; /* didn't fit, bail out */
+#endif
   }
-  if(sum/with != *amount)
-    return 1; /* didn't fit, bail out */
   *amount = sum;
   return 0;
 }