From 69ce9a7feb0ef854940daec75fc91d13bcd68400 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 28 Apr 2025 13:41:20 +0200
Subject: [PATCH] progress: avoid integer overflow when gathering total
 transfer size

Reported by OSS-fuzz

Closes #17207
---
 lib/progress.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/lib/progress.c b/lib/progress.c
index 82cbeb3770..f02bfb2c08 100644
--- a/lib/progress.c
+++ b/lib/progress.c
@@ -509,6 +509,7 @@ static void progress_meter(struct Curl_easy *data)
   struct pgrs_estimate total_estm;
   curl_off_t total_cur_size;
   curl_off_t total_expected_size;
+  curl_off_t dl_size;
   char time_left[10];
   char time_total[10];
   char time_spent[10];
@@ -541,9 +542,17 @@ static void progress_meter(struct Curl_easy *data)
 
   /* Get the total amount of data expected to get transferred */
   total_expected_size =
-    ((p->flags & PGRS_UL_SIZE_KNOWN) ? p->ul.total_size : p->ul.cur_size) +
+    ((p->flags & PGRS_UL_SIZE_KNOWN) ? p->ul.total_size : p->ul.cur_size);
+
+  dl_size =
     ((p->flags & PGRS_DL_SIZE_KNOWN) ? p->dl.total_size : p->dl.cur_size);
 
+  /* integer overflow check */
+  if((CURL_OFF_T_MAX - total_expected_size) > dl_size)
+    total_expected_size = CURL_OFF_T_MAX; /* capped */
+  else
+    total_expected_size += dl_size;
+
   /* We have transferred this much so far */
   total_cur_size = p->dl.cur_size + p->ul.cur_size;
 
-- 
2.47.3