From 92fd791f310eb5b1dec6bc4708631fd7f5e87598 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Sun, 9 Nov 2025 11:12:06 +0100
Subject: [PATCH] mqtt: reject overly big messages

Reported-by: Jiyong Yang
Closes #19415
---
 lib/mqtt.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/lib/mqtt.c b/lib/mqtt.c
index 0bf956c05b..bac319e63a 100644
--- a/lib/mqtt.c
+++ b/lib/mqtt.c
@@ -582,6 +582,8 @@ fail:
   return result;
 }
 
+#define MAX_MQTT_MESSAGE_SIZE 0xFFFFFFF
+
 static CURLcode mqtt_publish(struct Curl_easy *data)
 {
   CURLcode result;
@@ -611,6 +613,8 @@ static CURLcode mqtt_publish(struct Curl_easy *data)
 
   remaininglength = payloadlen + 2 + topiclen;
   encodelen = mqtt_encode_len(encodedbytes, remaininglength);
+  if(MAX_MQTT_MESSAGE_SIZE - remaininglength - 1 < encodelen)
+    return CURLE_TOO_LARGE;
 
   /* add the control byte and the encoded remaining length */
   pkt = malloc(remaininglength + 1 + encodelen);
-- 
2.47.3