romenskiy2012/curl
1
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2026-04-15 01:31:41 +03:00
Code Issues Projects Releases Packages Wiki Activity

imap: avoid integer overflow

Browse source 
Follow-up to e64c28e243

Spotted by OSS-Fuzz

Closes #19332
This commit is contained in:
Daniel Stenberg 2025-11-03 08:05:35 +01:00
parent 3060495830
commit c1e3a760ba
No known key found for this signature in database
GPG key ID: 5CC908FDB71E12C2
1 changed files with 10 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

13
lib/imap.c
View file

@ -1265,15 +1265,22 @@ static CURLcode imap_state_listsearch_resp(struct Curl_easy *data,
pp->overflow = 0;
}
if(data->req.bytecount == size + (curl_off_t)len)
if((CURL_OFF_T_MAX - size) < (curl_off_t)len)
/* unlikely to actually be a transfer this big, but avoid integer
overflow */
size = CURL_OFF_T_MAX;
else
size += len;
if(data->req.bytecount == size)
/* All data already transferred (header + literal body) */
Curl_xfer_setup_nop(data);
else {
/* Setup to receive the literal body data.
maxdownload and transfer size include both header line and
literal body */
data->req.maxdownload = size + len;
Curl_xfer_setup_recv(data, FIRSTSOCKET, size + len);
data->req.maxdownload = size;
Curl_xfer_setup_recv(data, FIRSTSOCKET, size);
}
/* End of DO phase */
imap_state(data, imapc, IMAP_STOP);