diff options
| author | Sergey Kandaurov <pluknet@nginx.com> | 2026-02-27 21:46:04 +0400 |
|---|---|---|
| committer | Sergey Kandaurov <s.kandaurov@f5.com> | 2026-03-04 12:08:09 +0400 |
| commit | dff46cd1ae0095922e7eb9cf5b32ebe1e68a5706 (patch) | |
| tree | fe916c352397fc27ac9c801cd7222caea0da8fa8 /src | |
| parent | aa65a60fc7bcef4152152cf5a4e87f04cad54368 (diff) | |
| download | nginx-dff46cd1ae0095922e7eb9cf5b32ebe1e68a5706.tar.gz nginx-dff46cd1ae0095922e7eb9cf5b32ebe1e68a5706.tar.bz2 | |
Mail: fixed type overflow in IMAP literal length parser.
The overflow is safe, because the maximum length of literals
is limited with the "imap_client_buffer" directive.
Reported by Bartłomiej Dmitruk.
Diffstat (limited to 'src')
| -rw-r--r-- | src/mail/ngx_mail_parse.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/src/mail/ngx_mail_parse.c b/src/mail/ngx_mail_parse.c index a694bf6b6..227b63abb 100644 --- a/src/mail/ngx_mail_parse.c +++ b/src/mail/ngx_mail_parse.c @@ -539,6 +539,9 @@ ngx_mail_imap_parse_command(ngx_mail_session_t *s) break; case sw_literal: + if (s->literal_len > NGX_MAX_SIZE_T_VALUE / 10) { + goto invalid; + } if (ch >= '0' && ch <= '9') { s->literal_len = s->literal_len * 10 + (ch - '0'); break; |