ntlm: avoid malloc(0) for zero length passwords
It triggers an assert() when built with memdebug since malloc(0) may
return NULL *or* a valid pointer.
Detected by OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=4054
Assisted-by: Max Dymond
Closes #2054
diff --git a/lib/curl_ntlm_core.c b/lib/curl_ntlm_core.c
index 5154949..1309bf0 100644
--- a/lib/curl_ntlm_core.c
+++ b/lib/curl_ntlm_core.c
@@ -557,7 +557,7 @@
unsigned char *ntbuffer /* 21 bytes */)
{
size_t len = strlen(password);
- unsigned char *pw = malloc(len * 2);
+ unsigned char *pw = len ? malloc(len * 2) : strdup("");
CURLcode result;
if(!pw)
return CURLE_OUT_OF_MEMORY;