From 497d3c7b016e8e004dcafef96e34070a5d8033e0 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Wed, 21 May 2025 12:12:15 +0200
Subject: [PATCH] ftplistparser: protect more cases decrementing 'len'

So that they never wrap. More Coverity remarks.

Closes #17406
---
 lib/ftplistparser.c | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/lib/ftplistparser.c b/lib/ftplistparser.c
index af2321af09..70939d6a76 100644
--- a/lib/ftplistparser.c
+++ b/lib/ftplistparser.c
@@ -423,7 +423,8 @@ static CURLcode parse_unix(struct Curl_easy *data,
       parser->item_length++;
       if(c == '\r') {
         parser->item_length--;
-        curlx_dyn_setlen(&infop->buf, --len);
+        if(len)
+          curlx_dyn_setlen(&infop->buf, --len);
       }
       else if(c == '\n') {
         mem[parser->item_length - 1] = 0;
@@ -519,7 +520,7 @@ static CURLcode parse_unix(struct Curl_easy *data,
   case PL_UNIX_USER:
     switch(parser->state.UNIX.sub.user) {
     case PL_UNIX_USER_PRESPACE:
-      if(c != ' ') {
+      if(c != ' ' && len) {
         parser->item_offset = len - 1;
         parser->item_length = 1;
         parser->state.UNIX.sub.user = PL_UNIX_USER_PARSING;
@@ -541,7 +542,7 @@ static CURLcode parse_unix(struct Curl_easy *data,
   case PL_UNIX_GROUP:
     switch(parser->state.UNIX.sub.group) {
     case PL_UNIX_GROUP_PRESPACE:
-      if(c != ' ') {
+      if(c != ' ' && len) {
         parser->item_offset = len - 1;
         parser->item_length = 1;
         parser->state.UNIX.sub.group = PL_UNIX_GROUP_NAME;
@@ -564,7 +565,7 @@ static CURLcode parse_unix(struct Curl_easy *data,
     switch(parser->state.UNIX.sub.size) {
     case PL_UNIX_SIZE_PRESPACE:
       if(c != ' ') {
-        if(ISDIGIT(c)) {
+        if(ISDIGIT(c) && len) {
           parser->item_offset = len - 1;
           parser->item_length = 1;
           parser->state.UNIX.sub.size = PL_UNIX_SIZE_NUMBER;
@@ -665,7 +666,7 @@ static CURLcode parse_unix(struct Curl_easy *data,
   case PL_UNIX_FILENAME:
     switch(parser->state.UNIX.sub.filename) {
     case PL_UNIX_FILENAME_PRESPACE:
-      if(c != ' ') {
+      if(c != ' ' && len) {
         parser->item_offset = len - 1;
         parser->item_length = 1;
         parser->state.UNIX.sub.filename = PL_UNIX_FILENAME_NAME;
@@ -703,7 +704,7 @@ static CURLcode parse_unix(struct Curl_easy *data,
   case PL_UNIX_SYMLINK:
     switch(parser->state.UNIX.sub.symlink) {
     case PL_UNIX_SYMLINK_PRESPACE:
-      if(c != ' ') {
+      if(c != ' ' && len) {
         parser->item_offset = len - 1;
         parser->item_length = 1;
         parser->state.UNIX.sub.symlink = PL_UNIX_SYMLINK_NAME;
@@ -754,7 +755,7 @@ static CURLcode parse_unix(struct Curl_easy *data,
         parser->state.UNIX.sub.symlink = PL_UNIX_SYMLINK_NAME;
       break;
     case PL_UNIX_SYMLINK_PRETARGET4:
-      if(c != '\r' && c != '\n') {
+      if(c != '\r' && c != '\n' && len) {
         parser->state.UNIX.sub.symlink = PL_UNIX_SYMLINK_TARGET;
         parser->item_offset = len - 1;
         parser->item_length = 1;
@@ -892,6 +893,8 @@ static CURLcode parse_winnt(struct Curl_easy *data,
       break;
     case PL_WINNT_FILENAME_CONTENT:
       parser->item_length++;
+      if(!len)
+        return CURLE_FTP_BAD_FILE_LIST;
       if(c == '\r') {
         parser->state.NT.sub.filename = PL_WINNT_FILENAME_WINEOL;
         mem[len - 1] = 0;
-- 
2.47.3