tool_urlglob: add integer overflow protection

It is most likely impossible to actually overflow, but this makes it
certain.

Closes #18398

diff --git a/src/tool_urlglob.c b/src/tool_urlglob.c
index 028520373e1ffba860fbcfdf2a4ad979ec78a963..964789875565c1a2674993e0d7a865aca49afdc8 100644 (file)
--- a/src/tool_urlglob.c
+++ b/src/tool_urlglob.c
@@ -124,17 +124,21 @@ static CURLcode glob_set(struct URLGlob *glob, const char **patternp,
       /* add 1 to size since it will be incremented below */
       if(multiply(amount, pat->c.set.size + 1))
         return globerror(glob, "range overflow", 0, CURLE_URL_MALFORMAT);
-
+      done = TRUE;
       FALLTHROUGH();
     case ',':
       if(pat->c.set.elem) {
-        char **new_arr = realloc(pat->c.set.elem,
-                                 (size_t)(pat->c.set.size + 1) *
-                                 sizeof(char *));
-        if(!new_arr)
+        char **arr;
+
+        if(pat->c.set.size >= (curl_off_t)(SIZE_T_MAX/(sizeof(char *))))
+          return globerror(glob, "range overflow", 0, CURLE_URL_MALFORMAT);
+
+        arr = realloc(pat->c.set.elem, (size_t)(pat->c.set.size + 1) *
+                      sizeof(char *));
+        if(!arr)
           return globerror(glob, NULL, 0, CURLE_OUT_OF_MEMORY);
 
-        pat->c.set.elem = new_arr;
+        pat->c.set.elem = arr;
       }
       else
         pat->c.set.elem = malloc(sizeof(char *));
@@ -149,14 +153,9 @@ static CURLcode glob_set(struct URLGlob *glob, const char **patternp,
       ++pat->c.set.size;
       curlx_dyn_reset(&glob->buf);
 
-      if(*pattern == '}') {
-        pattern++; /* pass the closing brace */
-        done = TRUE;
-        continue;
-      }
-
       ++pattern;
-      ++(*posp);
+      if(!done)
+        ++(*posp);
       break;
 
     case ']':                           /* illegal closing bracket */