From: Daniel Stenberg <daniel@haxx.se>
Date: Tue, 9 Dec 2025 09:04:34 +0000 (+0100)
Subject: imap: check buffer length before accessing it
X-Git-Tag: rc-8_18_0-2~82
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=43c781a1162f9be92b4a938660da62a02039b2b3;p=thirdparty%2Fcurl.git

imap: check buffer length before accessing it

Pointed out by ZeroPath

Closes #19887
---

diff --git a/lib/imap.c b/lib/imap.c
index cbc4506a9d..05d195ec58 100644
--- a/lib/imap.c
+++ b/lib/imap.c
@@ -1308,13 +1308,13 @@ static CURLcode imap_state_select_resp(struct Curl_easy *data,
                                        imapstate instate)
 {
   CURLcode result = CURLE_OK;
-  const char *line = curlx_dyn_ptr(&imapc->pp.recvbuf);
-
   (void)instate;
 
   if(imapcode == '*') {
     /* See if this is an UIDVALIDITY response */
-    if(checkprefix("OK [UIDVALIDITY ", line + 2)) {
+    const char *line = curlx_dyn_ptr(&imapc->pp.recvbuf);
+    size_t len = curlx_dyn_len(&imapc->pp.recvbuf);
+    if((len >= 18) && checkprefix("OK [UIDVALIDITY ", &line[2])) {
       curl_off_t value;
       const char *p = &line[2] + strlen("OK [UIDVALIDITY ");
       if(!curlx_str_number(&p, &value, UINT_MAX)) {