imap: check buffer length before accessing it

author Daniel Stenberg <daniel@haxx.se>

Tue, 9 Dec 2025 09:04:34 +0000 (10:04 +0100)

committer Daniel Stenberg <daniel@haxx.se>

Tue, 9 Dec 2025 09:50:29 +0000 (10:50 +0100)
author Daniel Stenberg <daniel@haxx.se>
Tue, 9 Dec 2025 09:04:34 +0000 (10:04 +0100)
committer Daniel Stenberg <daniel@haxx.se>
Tue, 9 Dec 2025 09:50:29 +0000 (10:50 +0100)
diff --git a/lib/imap.c b/lib/imap.c

index cbc4506a9d8579430183edd6e1f3e1247eb91c23..05d195ec58f498935987b31489a27fb22be1d964 100644 (file)
--- a/lib/imap.c
+++ b/lib/imap.c
@@ -1308,13 +1308,13 @@ static CURLcode imap_state_select_resp(struct Curl_easy *data,
                                         imapstate instate)
  {
    CURLcode result = CURLE_OK;
-  const char *line = curlx_dyn_ptr(&imapc->pp.recvbuf);
-
    (void)instate;
  
    if(imapcode == '*') {
      /* See if this is an UIDVALIDITY response */
-    if(checkprefix("OK [UIDVALIDITY ", line + 2)) {
+    const char *line = curlx_dyn_ptr(&imapc->pp.recvbuf);
+    size_t len = curlx_dyn_len(&imapc->pp.recvbuf);
+    if((len >= 18) && checkprefix("OK [UIDVALIDITY ", &line[2])) {
        curl_off_t value;
        const char *p = &line[2] + strlen("OK [UIDVALIDITY ");
        if(!curlx_str_number(&p, &value, UINT_MAX)) {
author	Daniel Stenberg <daniel@haxx.se>
	Tue, 9 Dec 2025 09:04:34 +0000 (10:04 +0100)
committer	Daniel Stenberg <daniel@haxx.se>
	Tue, 9 Dec 2025 09:50:29 +0000 (10:50 +0100)