Mail: fixed type overflow in IMAP literal length parser.

The overflow is safe, because the maximum length of literals
is limited with the "imap_client_buffer" directive.

Reported by Bartłomiej Dmitruk.

diff --git a/src/mail/ngx_mail_parse.c b/src/mail/ngx_mail_parse.c
index a694bf6b6064d0ce375adfb01f5e47a3b3614374..227b63abb22ba2fcf95a27ec31f09d15fef0833b 100644 (file)
--- a/src/mail/ngx_mail_parse.c
+++ b/src/mail/ngx_mail_parse.c
@@ -539,6 +539,9 @@ ngx_mail_imap_parse_command(ngx_mail_session_t *s)
             break;
 
         case sw_literal:
+            if (s->literal_len > NGX_MAX_SIZE_T_VALUE / 10) {
+                goto invalid;
+            }
             if (ch >= '0' && ch <= '9') {
                 s->literal_len = s->literal_len * 10 + (ch - '0');
                 break;