From 967a626af48aafd3747c39a5597bd8c4a7977a7a Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Wed, 3 Sep 2025 09:41:29 +0200
Subject: [PATCH] idn: reject conversions that end up as a zero length hostname

Reported-by: RepoRascal on hackerone
Closes #18462
---
 lib/idn.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/lib/idn.c b/lib/idn.c
index 63d2b8645a..28c45d6681 100644
--- a/lib/idn.c
+++ b/lib/idn.c
@@ -323,8 +323,12 @@ CURLcode Curl_idn_decode(const char *input, char **output)
       result = CURLE_OUT_OF_MEMORY;
   }
 #endif
-  if(!result)
-    *output = d;
+  if(!result) {
+    if(!d[0]) /* ended up zero length, not acceptable */
+      result = CURLE_URL_MALFORMAT;
+    else
+      *output = d;
+  }
   return result;
 }
 
-- 
2.47.3