From 575977e422af10d18765604f0bae96cb90389a10 Mon Sep 17 00:00:00 2001
From: Toby Schneider <toby@gobysoft.org>
Date: Wed, 21 Oct 2015 19:59:54 -0400
Subject: [PATCH] Added check to ensure we're not matching zero length strings

---
 src/authy_api.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/authy_api.c b/src/authy_api.c
index 31d3e1f..a3a38c0 100644
--- a/src/authy_api.c
+++ b/src/authy_api.c
@@ -177,7 +177,9 @@ tokenResponseIsValid(char *pszResponse)
      shouldn't be the last one because it won't be a key */
   for (cnt = 0; cnt < 19; cnt++)
   {
-    if(strncmp(pszResponse + (tokens[cnt]).start, "token", (tokens[cnt]).end - (tokens[cnt]).start) == 0)
+    /* avoid matching empty strings since "" == "" */
+    int len = (tokens[cnt]).end - (tokens[cnt]).start;
+    if(len > 0 && strncmp(pszResponse + (tokens[cnt]).start, "token", len) == 0)
     {
       if(strncmp(pszResponse + (tokens[cnt+1]).start, "is valid", (tokens[cnt+1]).end - (tokens[cnt+1]).start) == 0){
         return TRUE;