From 4108d11008030c5c25adb28bf73ba392f80708a8 Mon Sep 17 00:00:00 2001
From: Cole Leavitt <coleleavitt@protonmail.com>
Date: Wed, 30 Jul 2025 22:19:01 -0700
Subject: [PATCH] bufq: add integer overflow checks before chunk allocations

Closes #18112
---
 lib/bufq.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/lib/bufq.c b/lib/bufq.c
index 8783619eed..9919707b4c 100644
--- a/lib/bufq.c
+++ b/lib/bufq.c
@@ -174,6 +174,12 @@ static CURLcode bufcp_take(struct bufc_pool *pool,
     return CURLE_OK;
   }
 
+  /* Check for integer overflow before allocation */
+  if(pool->chunk_size > SIZE_MAX - sizeof(*chunk)) {
+    *pchunk = NULL;
+    return CURLE_OUT_OF_MEMORY;
+  }
+
   chunk = calloc(1, sizeof(*chunk) + pool->chunk_size);
   if(!chunk) {
     *pchunk = NULL;
@@ -302,6 +308,11 @@ static struct buf_chunk *get_spare(struct bufq *q)
     return chunk;
   }
   else {
+    /* Check for integer overflow before allocation */
+    if(q->chunk_size > SIZE_MAX - sizeof(*chunk)) {
+      return NULL;
+    }
+
     chunk = calloc(1, sizeof(*chunk) + q->chunk_size);
     if(!chunk)
       return NULL;
-- 
2.47.3