tool_urlglob: add integer overflow protection

bagder · bagder · commit fef318553b97 · 2025-08-26T09:50:00.000+02:00
It is most likely impossible to actually overflow, but this makes it certain. Closes curl#18398
diff --git a/src/tool_urlglob.c b/src/tool_urlglob.c
@@ -124,17 +124,21 @@ static CURLcode glob_set(struct URLGlob *glob, const char **patternp,
       /* add 1 to size since it will be incremented below */
       if(multiply(amount, pat->c.set.size + 1))
         return globerror(glob, "range overflow", 0, CURLE_URL_MALFORMAT);
-
+      done = TRUE;
       FALLTHROUGH();
     case ',':
       if(pat->c.set.elem) {
-        char **new_arr = realloc(pat->c.set.elem,
-                                 (size_t)(pat->c.set.size + 1) *
-                                 sizeof(char *));
-        if(!new_arr)
+        char **arr;
+
+        if(pat->c.set.size >= (curl_off_t)(SIZE_T_MAX/(sizeof(char *))))
+          return globerror(glob, "range overflow", 0, CURLE_URL_MALFORMAT);
+
+        arr = realloc(pat->c.set.elem, (size_t)(pat->c.set.size + 1) *
+                      sizeof(char *));
+        if(!arr)
           return globerror(glob, NULL, 0, CURLE_OUT_OF_MEMORY);
 
-        pat->c.set.elem = new_arr;
+        pat->c.set.elem = arr;
       }
       else
         pat->c.set.elem = malloc(sizeof(char *));
@@ -149,14 +153,9 @@ static CURLcode glob_set(struct URLGlob *glob, const char **patternp,
       ++pat->c.set.size;
       curlx_dyn_reset(&glob->buf);
 
-      if(*pattern == '}') {
-        pattern++; /* pass the closing brace */
-        done = TRUE;
-        continue;
-      }
-
       ++pattern;
-      ++(*posp);
+      if(!done)
+        ++(*posp);
       break;
 
     case ']':                           /* illegal closing bracket */
