From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 28 Apr 2025 11:41:20 +0000 (+0200)
Subject: progress: avoid integer overflow when gathering total transfer size
X-Git-Tag: curl-8_14_0~189
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=69ce9a7feb0ef854940daec75fc91d13bcd68400;p=thirdparty%2Fcurl.git

progress: avoid integer overflow when gathering total transfer size

Reported by OSS-fuzz

Closes #17207
---

diff --git a/lib/progress.c b/lib/progress.c
index 82cbeb3770..f02bfb2c08 100644
--- a/lib/progress.c
+++ b/lib/progress.c
@@ -509,6 +509,7 @@ static void progress_meter(struct Curl_easy *data)
   struct pgrs_estimate total_estm;
   curl_off_t total_cur_size;
   curl_off_t total_expected_size;
+  curl_off_t dl_size;
   char time_left[10];
   char time_total[10];
   char time_spent[10];
@@ -541,9 +542,17 @@ static void progress_meter(struct Curl_easy *data)
 
   /* Get the total amount of data expected to get transferred */
   total_expected_size =
-    ((p->flags & PGRS_UL_SIZE_KNOWN) ? p->ul.total_size : p->ul.cur_size) +
+    ((p->flags & PGRS_UL_SIZE_KNOWN) ? p->ul.total_size : p->ul.cur_size);
+
+  dl_size =
     ((p->flags & PGRS_DL_SIZE_KNOWN) ? p->dl.total_size : p->dl.cur_size);
 
+  /* integer overflow check */
+  if((CURL_OFF_T_MAX - total_expected_size) > dl_size)
+    total_expected_size = CURL_OFF_T_MAX; /* capped */
+  else
+    total_expected_size += dl_size;
+
   /* We have transferred this much so far */
   total_cur_size = p->dl.cur_size + p->ul.cur_size;