An integer overflow found in src/tool_cb_prg.c

[lipeng28]

Hi There

Peng Li at Baidu X-Lab found an integer overflow in the function tool_progress_cb of src/tool_cb_prg.c, the error message is "tool_cb_prg.c:122:29: runtime error: signed integer overflow: 828 + 9223372036854775807 cannot be represented in type 'long'". Since the overflowed variable total is used in the consequent conditionals, I think it is a critical bug.

You could compile curl with undefined behavior sanitizer activated and apply "curl-ubsan -q -K id_005898" to reproduce the bug, the OS is ubuntu 16.04.2 LTS, curl's version is curl 7.61.1 (x86_64-pc-linux-gnu) libcurl/7.61.1. If you need any assistance, please let me know.

Thanks
Peng

int tool_progress_cb(void clientp,
curl_off_t dltotal, curl_off_t dlnow,
curl_off_t ultotal, curl_off_t ulnow)
{
/ The original progress-bar source code was written for curl by Lars Aas,
and this new edition inherits some of his concepts. */

struct timeval now = tvnow();
struct ProgressData *bar = (struct ProgressData *)clientp;
curl_off_t total;
curl_off_t point;

/* expected transfer size */
total = dltotal + ultotal + bar->initial_size;
...
}

id_005898.txt

[bagder]

I think it is a critical bug.

Why? What else does this cause than making the progress bar not appear the way it should?

[lipeng28]

Thank you bagder for your prompt fix!

[lipeng28]

Hi There

I confirmed that this fix resolves the problem, thank you for fixing them!

Best,
Peng