From 453e7a7a03a2cec749abd3878a48e728c515cca7 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Tue, 1 Aug 2017 17:16:07 +0200
Subject: [PATCH] glob: do not continue parsing after a strtoul() overflow
 range

Added test 1289 to verify.

CVE-2017-1000101

Bug: https://curl.haxx.se/docs/adv_20170809A.html
Reported-by: Brian Carpenter
---
 src/tool_urlglob.c      |  5 ++++-
 tests/data/Makefile.inc |  2 +-
 tests/data/test1289     | 35 +++++++++++++++++++++++++++++++++++
 3 files changed, 40 insertions(+), 2 deletions(-)
 create mode 100644 tests/data/test1289

--- a/src/tool_urlglob.c
+++ b/src/tool_urlglob.c
@@ -272,7 +272,10 @@ static CURLcode glob_range(URLGlob *glob
         }
         errno = 0;
         max_n = strtoul(pattern, &endp, 10);
-        if(errno || (*endp == ':')) {
+        if(errno)
+          /* overflow */
+          endp = NULL;
+        else if(*endp == ':') {
           pattern = endp+1;
           errno = 0;
           step_n = strtoul(pattern, &endp, 10);