From 3ce10063f191e3d0a2dac3daf997b4a0aaf28ac1 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Thu, 7 May 2026 17:45:48 +0200
Subject: [PATCH] tool_urlglob: avoid overflow at end of range

Due to how the range span globbing code works, a range that ends with
9223372036854775807 (the maximum signed 63 bit value) cannot be used as
it triggers an integer overflow.

Verified in test 2092

Reported-by: Andrew Nesbit
Closes #21529
---
 src/tool_urlglob.c     |  6 ++++--
 tests/data/Makefile.am |  2 +-
 tests/data/test2092    | 28 ++++++++++++++++++++++++++++
 3 files changed, 33 insertions(+), 3 deletions(-)
 create mode 100644 tests/data/test2092

diff --git a/src/tool_urlglob.c b/src/tool_urlglob.c
index ad1c8087da..d2249980e2 100644
--- a/src/tool_urlglob.c
+++ b/src/tool_urlglob.c
@@ -324,8 +324,10 @@ static CURLcode glob_range(struct URLGlob *glob, const char **patternp,
       /* the pattern is not well-formed */
       return globerror(glob, "bad range", *posp, CURLE_URL_MALFORMAT);
 
-    /* typecasting to ints are fine here since we make sure above that we
-       are within 31 bits */
+    if((CURL_OFF_T_MAX - step_n) < max_n)
+      return globerror(glob, "range end/step overflow", *posp,
+                       CURLE_URL_MALFORMAT);
+
     pat->c.num.idx = pat->c.num.min = min_n;
     pat->c.num.max = max_n;
     pat->c.num.step = step_n;
diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am
index 0abf6a0998..85ea4bcd1d 100644
--- a/tests/data/Makefile.am
+++ b/tests/data/Makefile.am
@@ -256,7 +256,7 @@ test2056 test2057 test2058 test2059 test2060 test2061 test2062 test2063 \
 test2064 test2065 test2066 test2067 test2068 test2069 test2070 test2071 \
 test2072 test2073 test2074 test2075 test2076 test2077 test2078 test2079 \
 test2080 test2081 test2082 test2083 test2084 test2085 test2086 test2087 \
-test2088 test2089 test2090 test2091 \
+test2088 test2089 test2090 test2091 test2092 \
 test2100 test2101 test2102 test2103 test2104 \
 \
 test2200 test2201 test2202 test2203 test2204 test2205 test2206 test2207 \
diff --git a/tests/data/test2092 b/tests/data/test2092
new file mode 100644
index 0000000000..6cbf8563fb
--- /dev/null
+++ b/tests/data/test2092
@@ -0,0 +1,28 @@
+<?xml version="1.0" encoding="US-ASCII"?>
+<testcase>
+<info>
+<keywords>
+globbing
+</keywords>
+</info>
+
+# Client-side
+<client>
+<server>
+http
+</server>
+<name>
+glob range that ends with 9223372036854775807
+</name>
+<command>
+"%HOSTIP:%HTTPPORT/[0-1][9223372036854775806-9223372036854775807]/%TESTNUMBER"
+</command>
+</client>
+
+# Verify data after the test has been "shot"
+<verify>
+<errorcode>
+3
+</errorcode>
+</verify>
+</testcase>