tool_urlglob: avoid overflow at end of range

author Daniel Stenberg <daniel@haxx.se>

Thu, 7 May 2026 15:45:48 +0000 (17:45 +0200)

committer Daniel Stenberg <daniel@haxx.se>

Thu, 7 May 2026 20:58:20 +0000 (22:58 +0200)
author Daniel Stenberg <daniel@haxx.se>
Thu, 7 May 2026 15:45:48 +0000 (17:45 +0200)
committer Daniel Stenberg <daniel@haxx.se>
Thu, 7 May 2026 20:58:20 +0000 (22:58 +0200)
diff --git a/src/tool_urlglob.c b/src/tool_urlglob.c

index ad1c8087da446a090a48eb49dfaf142a0b4e6df0..d2249980e2bfcefad314437e1550944c968831a3 100644 (file)
--- a/src/tool_urlglob.c
+++ b/src/tool_urlglob.c
@@ -324,8 +324,10 @@ static CURLcode glob_range(struct URLGlob *glob, const char **patternp,
        /* the pattern is not well-formed */
        return globerror(glob, "bad range", *posp, CURLE_URL_MALFORMAT);
  
-    /* typecasting to ints are fine here since we make sure above that we
-       are within 31 bits */
+    if((CURL_OFF_T_MAX - step_n) < max_n)
+      return globerror(glob, "range end/step overflow", *posp,
+                       CURLE_URL_MALFORMAT);
+
      pat->c.num.idx = pat->c.num.min = min_n;
      pat->c.num.max = max_n;
      pat->c.num.step = step_n;
diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am

index 0abf6a0998b9cf69ea56a42690f036e766b56efe..85ea4bcd1db4c6f1c757ce4bca7e432a4195103e 100644 (file)
--- a/tests/data/Makefile.am
+++ b/tests/data/Makefile.am
@@ -256,7 +256,7 @@ test2056 test2057 test2058 test2059 test2060 test2061 test2062 test2063 \
  test2064 test2065 test2066 test2067 test2068 test2069 test2070 test2071 \
  test2072 test2073 test2074 test2075 test2076 test2077 test2078 test2079 \
  test2080 test2081 test2082 test2083 test2084 test2085 test2086 test2087 \
-test2088 test2089 test2090 test2091 \
+test2088 test2089 test2090 test2091 test2092 \
  test2100 test2101 test2102 test2103 test2104 \
  \
  test2200 test2201 test2202 test2203 test2204 test2205 test2206 test2207 \
diff --git a/tests/data/test2092 b/tests/data/test2092

new file mode 100644 (file)

index 0000000..6cbf856
--- /dev/null
+++ b/tests/data/test2092
@@ -0,0 +1,28 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<testcase>
+<info>
+<keywords>
+globbing
+</keywords>
+</info>
+
+# Client-side
+<client>
+<server>
+http
+</server>
+<name>
+glob range that ends with 9223372036854775807
+</name>
+<command>
+"%HOSTIP:%HTTPPORT/[0-1][9223372036854775806-9223372036854775807]/%TESTNUMBER"
+</command>
+</client>
+
+# Verify data after the test has been "shot"
+<verify>
+<errorcode>
+3
+</errorcode>
+</verify>
+</testcase>
author	Daniel Stenberg <daniel@haxx.se>
	Thu, 7 May 2026 15:45:48 +0000 (17:45 +0200)
committer	Daniel Stenberg <daniel@haxx.se>
	Thu, 7 May 2026 20:58:20 +0000 (22:58 +0200)
src/tool_urlglob.c		patch \| blob \| blame \| history
tests/data/Makefile.am		patch \| blob \| blame \| history
tests/data/test2092	[new file with mode: 0644]	patch \| blob