From c1e3a760ba082762041a999bc98f21ea295d7cf4 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 3 Nov 2025 08:05:35 +0100
Subject: [PATCH] imap: avoid integer overflow

Follow-up to e64c28e243d797da4ef76d6e8959

Spotted by OSS-Fuzz

Closes #19332
---
 lib/imap.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/lib/imap.c b/lib/imap.c
index 1902619a6f..d23076a48f 100644
--- a/lib/imap.c
+++ b/lib/imap.c
@@ -1265,15 +1265,22 @@ static CURLcode imap_state_listsearch_resp(struct Curl_easy *data,
           pp->overflow = 0;
         }
 
-        if(data->req.bytecount == size + (curl_off_t)len)
+        if((CURL_OFF_T_MAX - size) < (curl_off_t)len)
+          /* unlikely to actually be a transfer this big, but avoid integer
+             overflow */
+          size = CURL_OFF_T_MAX;
+        else
+          size += len;
+
+        if(data->req.bytecount == size)
           /* All data already transferred (header + literal body) */
           Curl_xfer_setup_nop(data);
         else {
           /* Setup to receive the literal body data.
              maxdownload and transfer size include both header line and
              literal body */
-          data->req.maxdownload = size + len;
-          Curl_xfer_setup_recv(data, FIRSTSOCKET, size + len);
+          data->req.maxdownload = size;
+          Curl_xfer_setup_recv(data, FIRSTSOCKET, size);
         }
         /* End of DO phase */
         imap_state(data, imapc, IMAP_STOP);
-- 
2.47.3