Check out the CGI documentation, notably the section devoted to handling file uploads. There are lots of examples there. Basically, you're not reading the file data correctly.

my $file1 = $cgi->param('file1');
...
read($file1, $buf, ...);   # $file1 is a file handle!
$line = <$file1>;          # another example
[download]

Also, since you are mucking around with files and open calls with user-provided data, I strongly suggest you read perlsec and run your script with taint-checking (-T) enabled.

In addition, you could use some better error checking with your read call. Check to see if $bytes is defined, and if not, consider that an error and report it as such (with details in $!).

Hope this helps.