From e4f93be9d5875464b6bda1872dbcb845d3268beb Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Thu, 23 Feb 2023 18:20:16 +0100
Subject: [PATCH] telnet: parse the WS= argument without sscanf

Closes #10596
---
 lib/telnet.c | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/lib/telnet.c b/lib/telnet.c
index 0c1671d0f5..b82777b62a 100644
--- a/lib/telnet.c
+++ b/lib/telnet.c
@@ -841,10 +841,19 @@ static CURLcode check_telnet_options(struct Curl_easy *data)
       case 2:
         /* Window Size */
         if(strncasecompare(option, "WS", 2)) {
-          if(sscanf(arg, "%hu%*[xX]%hu",
-                    &tn->subopt_wsx, &tn->subopt_wsy) == 2)
-            tn->us_preferred[CURL_TELOPT_NAWS] = CURL_YES;
-          else {
+          char *p;
+          unsigned long x = strtoul(arg, &p, 10);
+          unsigned long y = 0;
+          if(Curl_raw_tolower(*p) == 'x') {
+            p++;
+            y = strtoul(p, NULL, 10);
+            if(x && y && (x <= 0xffff) && (y <= 0xffff)) {
+              tn->subopt_wsx = (unsigned short)x;
+              tn->subopt_wsy = (unsigned short)y;
+              tn->us_preferred[CURL_TELOPT_NAWS] = CURL_YES;
+            }
+          }
+          if(!y) {
             failf(data, "Syntax error in telnet option: %s", head->data);
             result = CURLE_SETOPT_OPTION_SYNTAX;
           }
-- 
2.47.3