ntlm: avoid malloc(0) for zero length passwords

It triggers an assert() when built with memdebug since malloc(0) may return NULL *or* a valid pointer. Detected by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4054 Assisted-by: Max Dymond Closes #2054
2024-12-21 15:48:49 -05:00 · 2017-11-04 16:42:21 +01:00 · 2017-11-04 16:42:21 +01:00 · 685ef13057
commit 685ef13057
parent d2146c598a
1 changed files with 1 additions and 1 deletions
--- a/lib/curl_ntlm_core.c
+++ b/lib/curl_ntlm_core.c
@ -557,7 +557,7 @@ CURLcode Curl_ntlm_core_mk_nt_hash(struct Curl_easy *data,
                                   unsigned char *ntbuffer /* 21 bytes */)
 {
  size_t len = strlen(password);
-  unsigned char *pw = malloc(len * 2);
+  unsigned char *pw = len ? malloc(len * 2) : strdup("");
  CURLcode result;
  if(!pw)
    return CURLE_OUT_OF_MEMORY;