curlx_strtoofft() doesn't fully protect against null "str" argument

[bnason-nf]

With curl 7.46.0, in curlx_strtoofft(), there is a check for a null "str" argument, but the remaining lines of the function don't guard against null. Currently, it it would cause a null pointer dereference if str were ever null.

So, either the first condition in this while loop is unnecessary if str can never be null:

while(str && *str && ISSPACE(*str))

Or the remaining code should be changed to handle a null str argument (maybe just an early out at the top of the function would be simplest).

[bnason-nf]

By the way I'm happy to provide a patch and pull request if there is a preference for which way to go with this.

[bagder]

First, 7.46.0 is really old so we don't really care much how we did back then. But...

The code still has a similar construct. We just don't support a NULL pointer in the first argument so the check for that being non-NULL is completely superfluous. We should perhaps instead make than an assert.

[jay]

I think he means 7.56, I can't find that code in 7.46. I agree it should be removed. It is the same as if you call strtoll or _strtoi64 with null for the first argument.

[bagder]

ah, makes sense. Yes please @bnason-nf, a PR would be nice!

[bnason-nf]

Yes sorry, 7.46.0 is a typo, I meant the latest 7.56.0. I will put together a PR.