multi.c: fix possible invalid memory access in case nfds overflows

ufds might not be allocated in case nfds overflows to zero while
extra_nfds is still non-zero. udfs is then accessed within the
extra_nfds-based for loop.

diff --git a/lib/multi.c b/lib/multi.c
index bc69996e67ade04b3cff1f8debf5443041316ebf..bc932640ac9acba6a1499c2a6d776cf7f35c8f13 100644 (file)
--- a/lib/multi.c
+++ b/lib/multi.c
@@ -828,7 +828,7 @@ CURLMcode curl_multi_wait(CURLM *multi_handle,
   curlfds = nfds; /* number of internal file descriptors */
   nfds += extra_nfds; /* add the externally provided ones */
 
-  if(nfds) {
+  if(nfds || extra_nfds) {
     ufds = malloc(nfds * sizeof(struct pollfd));
     if(!ufds)
       return CURLM_OUT_OF_MEMORY;