Integer Underflow in src/var.c

# Summary: A potential Integer Underflow vulnerability was identified in the `setvariable` function within `src/var.c`. the flaw occurs during the calculation of the variable content length (`clen`) when a byte range is specified. specifically, the code fails to validate if `startoffset` is greater than `endoffset` before performing subtraction, leading to a massive wrapped-around value when cast to `size_t`. This leads to an inconsistent state where `clen` holds an impossibly large value, causing memory corruption when passed to downstream functions URL : https://github.com/curl/curl/blob/master/src/var.c#L375 function: `setvariable()` file :` src/var.c:480` `clen = (size_t)(endoffset - startoffset) + 1;` **Proof of Concept** using a debugger (GDB) to simulate the logic bypass: set a breakpoint at `setvariable` Manipulate the offsets:`set var startoffset = 100` `set var endoffset = 50` Result: `clen` as `size_t`: `18446744073709551567` {F5270811} **Workarounds** Add a sanity check to ensure `startoffset` does not exceed `endoffset` before calculation ## Impact This massive `clen` value is subsequently passed to `addvariable()`, where it is used as a length parameter for memory operations. this can lead to: Heap Buffer Overflow: attempting to copy data using an invalid length Denial of Service : triggering an out-of-memory condition or a crash