From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 14 Aug 2023 11:38:09 +0000 (+0200)
Subject: imap: remove the only sscanf() call in the IMAP code
X-Git-Tag: curl-8_3_0~161
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=91765104c2c1bd43d4fda8b5ebedec41c67c0ed0;p=thirdparty%2Fcurl.git

imap: remove the only sscanf() call in the IMAP code

Avoids the use of a stack buffer.

Closes #11673
---

diff --git a/lib/imap.c b/lib/imap.c
index 27b7ac94c3..b8c220569c 100644
--- a/lib/imap.c
+++ b/lib/imap.c
@@ -1091,10 +1091,19 @@ static CURLcode imap_state_select_resp(struct Curl_easy *data, int imapcode,
 
   if(imapcode == '*') {
     /* See if this is an UIDVALIDITY response */
-    char tmp[20];
-    if(sscanf(line + 2, "OK [UIDVALIDITY %19[0123456789]]", tmp) == 1) {
-      Curl_safefree(imapc->mailbox_uidvalidity);
-      imapc->mailbox_uidvalidity = strdup(tmp);
+    if(checkprefix("OK [UIDVALIDITY ", line + 2)) {
+      size_t len = 0;
+      const char *p = &line[2] + strlen("OK [UIDVALIDITY ");
+      while((len < 20) && p[len] && ISDIGIT(p[len]))
+        len++;
+      if(len && (p[len] == ']')) {
+        struct dynbuf uid;
+        Curl_dyn_init(&uid, 20);
+        if(Curl_dyn_addn(&uid, p, len))
+          return CURLE_OUT_OF_MEMORY;
+        Curl_safefree(imapc->mailbox_uidvalidity);
+        imapc->mailbox_uidvalidity = Curl_dyn_ptr(&uid);
+      }
     }
   }
   else if(imapcode == IMAP_RESP_OK) {