Skip to content

multi: avoid a theoretical 32-bit wrap#20742

Closed
bagder wants to merge 1 commit intomasterfrom
bagder/multi-math
Closed

multi: avoid a theoretical 32-bit wrap#20742
bagder wants to merge 1 commit intomasterfrom
bagder/multi-math

Conversation

@bagder
Copy link
Member

@bagder bagder commented Feb 26, 2026

If Curl_uint32_tbl_count() at some future point actually can return UINT_MAX, this fixes the math to not wrap.

@bagder
multi: avoid a theoretical 32-bit wrap
073492f 
If Curl_uint32_tbl_count() at some future point actually can return
UINT_MAX, this fixes the math to not wrap.
@bagder bagder requested a review from Copilot February 26, 2026 16:01
@bagder bagder marked this pull request as ready for review February 26, 2026 16:01
Copilot AI reviewed Feb 26, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adjusts curl_multi_get_handles() handle-count arithmetic to avoid 32-bit wrap when sizing the returned handle array.

Changes:

  • Change local count type from unsigned int to size_t in curl_multi_get_handles().
  • Use count + 1 with a wider type for the allocation sizing expression.
Comments suppressed due to low confidence (1)

lib/multi.c:3732

  • i remains unsigned int while count is now size_t. To keep types consistent with the allocated array size and avoid any potential truncation/overflow if count can exceed UINT_MAX, consider making i a size_t as well (and adjust related asserts accordingly).
    unsigned int i = 0;
    uint32_t mid;

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

lib/multi.c
Comment on lines +3728 to 3730
size_t count = Curl_uint32_tbl_count(&multi->xfers);
CURL **a = curlx_malloc(sizeof(struct Curl_easy *) * (count + 1));
if(a) {
Copy link

Copilot AI Feb 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

count is now size_t, but the allocation size expression sizeof(struct Curl_easy *) * (count + 1) can still overflow/wrap on 32-bit when count is large (e.g. UINT32_MAX from Curl_uint32_tbl_count() equals SIZE_MAX). Consider adding an explicit overflow check (for both (count + 1) and the multiplication) and returning NULL on overflow to avoid undersized allocations and potential out-of-bounds writes.

Copilot uses AI. Check for mistakes.
@bagder bagder closed this in 6789eb0 Feb 26, 2026
@bagder bagder deleted the bagder/multi-math branch February 26, 2026 16:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bagder