From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 6 Oct 2025 08:11:30 +0000 (+0200)
Subject: ftp: add extra buffer length check
X-Git-Tag: rc-8_17_0-2~227
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=172e190c798645b9d04dd97ae0cf51b35317971e;p=thirdparty%2Fcurl.git

ftp: add extra buffer length check

This adds an extra check that the buffer really has data enough (at
least 4 bytes) to check for a status code before doing so. It *should*
not be necessary, but this was pointed out by an analyzer and it feels
better to make sure.

Reported-by: Joshua Rogers
Closes #18869
---

diff --git a/lib/ftp.c b/lib/ftp.c
index 10a61d3689..77db98c005 100644
--- a/lib/ftp.c
+++ b/lib/ftp.c
@@ -479,13 +479,14 @@ static CURLcode ftp_check_ctrl_on_data_wait(struct Curl_easy *data,
     infof(data, "Ctrl conn has data while waiting for data conn");
     if(pp->overflow > 3) {
       const char *r = curlx_dyn_ptr(&pp->recvbuf);
+      size_t len = curlx_dyn_len(&pp->recvbuf);
 
-      DEBUGASSERT((pp->overflow + pp->nfinal) <=
-                  curlx_dyn_len(&pp->recvbuf));
+      DEBUGASSERT((pp->overflow + pp->nfinal) <= curlx_dyn_len(&pp->recvbuf));
       /* move over the most recently handled response line */
       r += pp->nfinal;
+      len -= pp->nfinal;
 
-      if(LASTLINE(r)) {
+      if((len > 3) && LASTLINE(r)) {
         curl_off_t status;
         if(!curlx_str_number(&r, &status, 999) && (status == 226)) {
           /* funny timing situation where we get the final message on the