From 6d0fcdf2ed9942ad92665c2b96ab431c8829b53d Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 13 Oct 2025 09:45:28 +0200
Subject: [PATCH] libssh: catch a resume point larger than the size

As it would otherwise trigger broken math

Reported-by: Joshua Rogers
Closes #19044
---
 lib/vssh/libssh.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/lib/vssh/libssh.c b/lib/vssh/libssh.c
index 69666c5388..6bb32643af 100644
--- a/lib/vssh/libssh.c
+++ b/lib/vssh/libssh.c
@@ -1239,6 +1239,10 @@ static int myssh_in_UPLOAD_INIT(struct Curl_easy *data,
 
     /* now, decrease the size of the read */
     if(data->state.infilesize > 0) {
+      if(data->state.resume_from > data->state.infilesize) {
+        failf(data, "Resume point beyond size");
+        return myssh_to_ERROR(data, sshc, CURLE_BAD_FUNCTION_ARGUMENT);
+      }
       data->state.infilesize -= data->state.resume_from;
       data->req.size = data->state.infilesize;
       Curl_pgrsSetUploadSize(data, data->state.infilesize);
-- 
2.47.3