From: Sergey Kandaurov <pluknet@nginx.com>
Date: Fri, 27 Feb 2026 17:46:04 +0000 (+0400)
Subject: Mail: fixed type overflow in IMAP literal length parser.
X-Git-Tag: release-1.29.6~13
X-Git-Url: http://www.kaiwu.me/postgresql/commit/?a=commitdiff_plain;h=dff46cd1ae0095922e7eb9cf5b32ebe1e68a5706;p=nginx.git

Mail: fixed type overflow in IMAP literal length parser.

The overflow is safe, because the maximum length of literals
is limited with the "imap_client_buffer" directive.

Reported by Bartłomiej Dmitruk.
---

diff --git a/src/mail/ngx_mail_parse.c b/src/mail/ngx_mail_parse.c
index a694bf6b6..227b63abb 100644
--- a/src/mail/ngx_mail_parse.c
+++ b/src/mail/ngx_mail_parse.c
@@ -539,6 +539,9 @@ ngx_mail_imap_parse_command(ngx_mail_session_t *s)
             break;
 
         case sw_literal:
+            if (s->literal_len > NGX_MAX_SIZE_T_VALUE / 10) {
+                goto invalid;
+            }
             if (ch >= '0' && ch <= '9') {
                 s->literal_len = s->literal_len * 10 + (ch - '0');
                 break;