From fbc4d59151dc4a56052f3a92da3682dc97b32148 Mon Sep 17 00:00:00 2001
From: x2018 <xkernel.wang@foxmail.com>
Date: Tue, 28 Oct 2025 23:35:45 +0800
Subject: [PATCH] conncache: prevent integer overflow in maxconnects
 calculation

Closes #19271
---
 lib/conncache.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/lib/conncache.c b/lib/conncache.c
index 67e2a63d8a..5c4bc357cc 100644
--- a/lib/conncache.c
+++ b/lib/conncache.c
@@ -531,12 +531,19 @@ static bool cpool_foreach(struct Curl_easy *data,
 bool Curl_cpool_conn_now_idle(struct Curl_easy *data,
                               struct connectdata *conn)
 {
-  unsigned int maxconnects = !data->multi->maxconnects ?
-    (Curl_multi_xfers_running(data->multi) * 4) : data->multi->maxconnects;
+  unsigned int maxconnects;
   struct connectdata *oldest_idle = NULL;
   struct cpool *cpool = cpool_get_instance(data);
   bool kept = TRUE;
 
+  if(!data->multi->maxconnects) {
+    unsigned int running = Curl_multi_xfers_running(data->multi);
+    maxconnects = (running <= UINT_MAX / 4) ? running * 4 : UINT_MAX;
+  }
+  else {
+    maxconnects = data->multi->maxconnects;
+  }
+
   conn->lastused = curlx_now(); /* it was used up until now */
   if(cpool && maxconnects) {
     /* may be called form a callback already under lock */
-- 
2.47.3