Index: lib/http.c
===================================================================
RCS file: /cvsroot/curl/curl/lib/http.c,v
retrieving revision 1.345
diff -u -r1.345 http.c
--- lib/http.c	5 Nov 2007 09:45:09 -0000	1.345
+++ lib/http.c	13 Nov 2007 14:06:25 -0000
@@ -1083,9 +1083,28 @@
   char *new_rb;
   size_t new_size;
 
+  if(~size < in->size_used) {
+    /* If resulting used size of send buffer would wrap size_t, cleanup
+       the whole buffer and return error. Otherwise the required buffer
+       size will fit into a single allocatable memory chunk */
+    Curl_safefree(in->buffer);
+    free(in);
+    return CURLE_OUT_OF_MEMORY;
+  }
+
   if(!in->buffer ||
      ((in->size_used + size) > (in->size_max - 1))) {
-    new_size = (in->size_used+size)*2;
+
+    /* If current buffer size isn't enough to hold the result, use a
+       buffer size that doubles the required size. If this new size
+       would wrap size_t, then just use the largest possible one */
+
+    if((size > (size_t)-1/2) || (in->size_used > (size_t)-1/2) ||
+       (~(size*2) < (in->size_used*2)))
+      new_size = (size_t)-1;
+    else
+      new_size = (in->size_used+size)*2;
+
     if(in->buffer)
       /* we have a buffer, enlarge the existing one */
       new_rb = (char *)realloc(in->buffer, new_size);