From 5a10f487783557c8d1886b2bcc4eaae34c80ca2a Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 27 Mar 2023 13:02:08 +0200
Subject: [PATCH] dynbuf: never allocate larger than "toobig"

As dynbufs always have a fixed maximum size which they are not allowed
to grow larger than, making sure that it never allocates a larger buffer
makes sure the buffer does not allocate memory that will never be used.

Closes #10845
---
 lib/dynbuf.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/lib/dynbuf.c b/lib/dynbuf.c
index bd3b9356c7..0c9c491aeb 100644
--- a/lib/dynbuf.c
+++ b/lib/dynbuf.c
@@ -76,6 +76,7 @@ static CURLcode dyn_nappend(struct dynbuf *s,
   DEBUGASSERT(s->toobig);
   DEBUGASSERT(indx < s->toobig);
   DEBUGASSERT(!s->leng || s->bufr);
+  DEBUGASSERT(a <= s->toobig);
 
   if(fit > s->toobig) {
     Curl_dyn_free(s);
@@ -84,7 +85,9 @@ static CURLcode dyn_nappend(struct dynbuf *s,
   else if(!a) {
     DEBUGASSERT(!indx);
     /* first invoke */
-    if(fit < MIN_FIRST_ALLOC)
+    if(MIN_FIRST_ALLOC > s->toobig)
+      a = s->toobig;
+    else if(fit < MIN_FIRST_ALLOC)
       a = MIN_FIRST_ALLOC;
     else
       a = fit;
@@ -92,6 +95,9 @@ static CURLcode dyn_nappend(struct dynbuf *s,
   else {
     while(a < fit)
       a *= 2;
+    if(a > s->toobig)
+      /* no point in allocating a larger buffer than this is allowed to use */
+      a = s->toobig;
   }
 
   if(a != s->allc) {
-- 
2.47.3