vauth/cleartext: fix integer overflow check

[platform/upstream/curl.git] / lib / vauth / cleartext.c

diff --git a/lib/vauth/cleartext.c b/lib/vauth/cleartext.c
index a761ae7..5d61ce6 100644 (file)
--- a/lib/vauth/cleartext.c
+++ b/lib/vauth/cleartext.c
@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -73,16 +73,10 @@ CURLcode Curl_auth_create_plain_message(struct Curl_easy *data,
   ulen = strlen(userp);
   plen = strlen(passwdp);
 
-  /* Compute binary message length, checking for overflows. */
-  plainlen = 2 * ulen;
-  if(plainlen < ulen)
-    return CURLE_OUT_OF_MEMORY;
-  plainlen += plen;
-  if(plainlen < plen)
-    return CURLE_OUT_OF_MEMORY;
-  plainlen += 2;
-  if(plainlen < 2)
+  /* Compute binary message length. Check for overflows. */
+  if((ulen > SIZE_T_MAX/2) || (plen > (SIZE_T_MAX/2 - 2)))
     return CURLE_OUT_OF_MEMORY;
+  plainlen = 2 * ulen + plen + 2;
 
   plainauth = malloc(plainlen);
   if(!plainauth)