ftp: avoid risk of reading uninitialized integers

If the received PASV response doesn't match the expected pattern, we
could end up reading uninitialized integers for IP address and port
number.

Issue pointed out by muse.dev
Closes #5972

diff --git a/lib/ftp.c b/lib/ftp.c
index 868a97a532fd31624a08a94c9e402f5f438705cb..43440139077cbfaa86c31b05436b67d4ce253342 100644 (file)
--- a/lib/ftp.c
+++ b/lib/ftp.c
@@ -1860,8 +1860,8 @@ static CURLcode ftp_state_pasv_resp(struct connectdata *conn,
   else if((ftpc->count1 == 1) &&
           (ftpcode == 227)) {
     /* positive PASV response */
-    unsigned int ip[4];
-    unsigned int port[2];
+    unsigned int ip[4] = {0, 0, 0, 0};
+    unsigned int port[2] = {0, 0};
 
     /*
      * Scan for a sequence of six comma-separated numbers and use them as