Mail: fixed type overflow in IMAP literal length parser.

The overflow is safe, because the maximum length of literals is limited with the "imap_client_buffer" directive. Reported by Bartłomiej Dmitruk.
author: Sergey Kandaurov <pluknet@nginx.com> 2026-02-27 21:46:04 +0400
committer: Sergey Kandaurov <s.kandaurov@f5.com> 2026-03-04 12:08:09 +0400
commit: dff46cd1ae0095922e7eb9cf5b32ebe1e68a5706 (patch)
tree: fe916c352397fc27ac9c801cd7222caea0da8fa8
parent: aa65a60fc7bcef4152152cf5a4e87f04cad54368 (diff)
download: nginx-dff46cd1ae0095922e7eb9cf5b32ebe1e68a5706.tar.gz
nginx-dff46cd1ae0095922e7eb9cf5b32ebe1e68a5706.tar.bz2
1 files changed, 3 insertions, 0 deletions
diff --git a/src/mail/ngx_mail_parse.c b/src/mail/ngx_mail_parse.c
index a694bf6b6..227b63abb 100644
--- a/src/mail/ngx_mail_parse.c
+++ b/src/mail/ngx_mail_parse.c
@@ -539,6 +539,9 @@ ngx_mail_imap_parse_command(ngx_mail_session_t *s)
             break;
 
         case sw_literal:
+            if (s->literal_len > NGX_MAX_SIZE_T_VALUE / 10) {
+                goto invalid;
+            }
             if (ch >= '0' && ch <= '9') {
                 s->literal_len = s->literal_len * 10 + (ch - '0');
                 break;
author	Sergey Kandaurov <pluknet@nginx.com>	2026-02-27 21:46:04 +0400
committer	Sergey Kandaurov <s.kandaurov@f5.com>	2026-03-04 12:08:09 +0400
commit	dff46cd1ae0095922e7eb9cf5b32ebe1e68a5706 (patch)
tree	fe916c352397fc27ac9c801cd7222caea0da8fa8
parent	aa65a60fc7bcef4152152cf5a4e87f04cad54368 (diff)
download	nginx-dff46cd1ae0095922e7eb9cf5b32ebe1e68a5706.tar.gz nginx-dff46cd1ae0095922e7eb9cf5b32ebe1e68a5706.tar.bz2