libcurl contains a heap out-of-bounds read in the code handling the
end-of-response for SMTP.
If the buffer passed to `smtp_endofresp()` isn't NUL terminated and contains
no character ending the parsed number, and `len` is set to 5, then the
`strtol()` call reads beyond the allocated buffer. The read contents will not
be returned to the caller.
The issue was reported to the project on 18 January 2019.
A patch was sent to me on 19 January 2019.
curl 7.64.0 was released on 6 January 2019.
https://curl.haxx.se/docs/CVE-2019-3823.html
If the buffer passed to smtp_endofresp()
isn’t NUL terminated and contains no character ending the parsed number, and len
is set to 5, then the strtol()
call reads beyond the allocated buffer.