gtls: fail for large files in `load_file()`

Used for issuer certs. Limit the size at `CURL_MAX_INPUT_LENGTH`, 8MB.

Bug: https://github.com/curl/curl/pull/21256#discussion_r3045854654

Closes #21257

diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
index 97ac2c8bcfd85a4e0f76e93d8bb59dc74cc9306a..1b581cda88e50d5a2b54da0f3bf304f06bddaa2b 100644 (file)
--- a/lib/vtls/gtls.c
+++ b/lib/vtls/gtls.c
@@ -206,7 +206,7 @@ static gnutls_datum_t load_file(const char *file)
   if(fseek(f, 0, SEEK_END) != 0)
     goto out;
   filelen = ftell(f);
-  if(filelen < 0)
+  if(filelen < 0 || filelen > CURL_MAX_INPUT_LENGTH)
     goto out;
   if(fseek(f, 0, SEEK_SET) != 0)
     goto out;