imap: avoid integer overflow

author Daniel Stenberg <daniel@haxx.se>

Mon, 3 Nov 2025 07:05:35 +0000 (08:05 +0100)

committer Daniel Stenberg <daniel@haxx.se>

Mon, 3 Nov 2025 07:54:51 +0000 (08:54 +0100)
author Daniel Stenberg <daniel@haxx.se>
Mon, 3 Nov 2025 07:05:35 +0000 (08:05 +0100)
committer Daniel Stenberg <daniel@haxx.se>
Mon, 3 Nov 2025 07:54:51 +0000 (08:54 +0100)
diff --git a/lib/imap.c b/lib/imap.c

index 1902619a6ffad849ee14ef19e4d0eb9db8758d25..d23076a48f8594b620384b9286a6ed8b317ea376 100644 (file)
--- a/lib/imap.c
+++ b/lib/imap.c
@@ -1265,15 +1265,22 @@ static CURLcode imap_state_listsearch_resp(struct Curl_easy *data,
            pp->overflow = 0;
          }
  
-        if(data->req.bytecount == size + (curl_off_t)len)
+        if((CURL_OFF_T_MAX - size) < (curl_off_t)len)
+          /* unlikely to actually be a transfer this big, but avoid integer
+             overflow */
+          size = CURL_OFF_T_MAX;
+        else
+          size += len;
+
+        if(data->req.bytecount == size)
            /* All data already transferred (header + literal body) */
            Curl_xfer_setup_nop(data);
          else {
            /* Setup to receive the literal body data.
               maxdownload and transfer size include both header line and
               literal body */
-          data->req.maxdownload = size + len;
-          Curl_xfer_setup_recv(data, FIRSTSOCKET, size + len);
+          data->req.maxdownload = size;
+          Curl_xfer_setup_recv(data, FIRSTSOCKET, size);
          }
          /* End of DO phase */
          imap_state(data, imapc, IMAP_STOP);
author	Daniel Stenberg <daniel@haxx.se>
	Mon, 3 Nov 2025 07:05:35 +0000 (08:05 +0100)
committer	Daniel Stenberg <daniel@haxx.se>
	Mon, 3 Nov 2025 07:54:51 +0000 (08:54 +0100)