Hello, I know the root cause about CVE-2019-3823[1] is strtol() call reads
beyond the allocated buffer[3]. So I think the root cause statement should be
the line 211: "*resp = curlx_sltosi(strtol(line, NULL, 10));". But the website
tell me the Vulnerability introduce commit is 2766262a68[2]. In that commit,
'len == 5' is introduced, but I think it is not the Vulnerability introduce
commit. The commit 5db0a412ff[4] is the introduced commit of function call
'strtol'.
[1] https://curl.se/docs/CVE-2019-3823.html
[2] https://github.com/curl/curl/commit/2766262a68
[3] https://github.com/curl/curl/commit/39df4073e5413fcdbb5a38d
[4] https://github.com/curl/curl/commit/5db0a412ff
--
Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library
Etiquette: https://curl.se/mail/etiquette.html
