From dff46cd1ae0095922e7eb9cf5b32ebe1e68a5706 Mon Sep 17 00:00:00 2001
From: Sergey Kandaurov <pluknet@nginx.com>
Date: Fri, 27 Feb 2026 21:46:04 +0400
Subject: Mail: fixed type overflow in IMAP literal length parser.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The overflow is safe, because the maximum length of literals
is limited with the "imap_client_buffer" directive.

Reported by Bartłomiej Dmitruk.
---
 src/mail/ngx_mail_parse.c | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'src')

diff --git a/src/mail/ngx_mail_parse.c b/src/mail/ngx_mail_parse.c
index a694bf6b6..227b63abb 100644
--- a/src/mail/ngx_mail_parse.c
+++ b/src/mail/ngx_mail_parse.c
@@ -539,6 +539,9 @@ ngx_mail_imap_parse_command(ngx_mail_session_t *s)
             break;
 
         case sw_literal:
+            if (s->literal_len > NGX_MAX_SIZE_T_VALUE / 10) {
+                goto invalid;
+            }
             if (ch >= '0' && ch <= '9') {
                 s->literal_len = s->literal_len * 10 + (ch - '0');
                 break;
-- 
cgit