From e9c580de4efcc0c1eefbb60bf3f454ee43dd4e1e Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Thu, 17 Nov 2022 08:41:44 +0100
Subject: [PATCH] lib: parse numbers with fixed known base 10

... instead of using 0 argument that allows decimal, hex or octal when
the number is documented and assumed to use base 10.

Closes #9933
---
 lib/curl_range.c    | 4 ++--
 lib/ftp.c           | 4 ++--
 lib/strtoofft.c     | 1 +
 lib/vssh/libssh.c   | 4 ++--
 lib/vssh/libssh2.c  | 4 ++--
 src/tool_getparam.c | 2 +-
 src/tool_paramhlp.c | 2 +-
 7 files changed, 11 insertions(+), 10 deletions(-)

diff --git a/lib/curl_range.c b/lib/curl_range.c
index dd92d05b39..49999367d7 100644
--- a/lib/curl_range.c
+++ b/lib/curl_range.c
@@ -44,12 +44,12 @@ CURLcode Curl_range(struct Curl_easy *data)
   if(data->state.use_range && data->state.range) {
     CURLofft from_t;
     CURLofft to_t;
-    from_t = curlx_strtoofft(data->state.range, &ptr, 0, &from);
+    from_t = curlx_strtoofft(data->state.range, &ptr, 10, &from);
     if(from_t == CURL_OFFT_FLOW)
       return CURLE_RANGE_ERROR;
     while(*ptr && (ISBLANK(*ptr) || (*ptr == '-')))
       ptr++;
-    to_t = curlx_strtoofft(ptr, &ptr2, 0, &to);
+    to_t = curlx_strtoofft(ptr, &ptr2, 10, &to);
     if(to_t == CURL_OFFT_FLOW)
       return CURLE_RANGE_ERROR;
     if((to_t == CURL_OFFT_INVAL) && !from_t) {
diff --git a/lib/ftp.c b/lib/ftp.c
index 2c639ebff4..4f7c12faa8 100644
--- a/lib/ftp.c
+++ b/lib/ftp.c
@@ -2299,7 +2299,7 @@ static CURLcode ftp_state_size_resp(struct Curl_easy *data,
     else
       fdigit = start;
     /* ignores parsing errors, which will make the size remain unknown */
-    (void)curlx_strtoofft(fdigit, NULL, 0, &filesize);
+    (void)curlx_strtoofft(fdigit, NULL, 10, &filesize);
 
   }
   else if(ftpcode == 550) { /* "No such file or directory" */
@@ -2484,7 +2484,7 @@ static CURLcode ftp_state_get_resp(struct Curl_easy *data,
         if(bytes) {
           ++bytes;
           /* get the number! */
-          (void)curlx_strtoofft(bytes, NULL, 0, &size);
+          (void)curlx_strtoofft(bytes, NULL, 10, &size);
         }
       }
     }
diff --git a/lib/strtoofft.c b/lib/strtoofft.c
index 30deb8c05b..fb8d92196f 100644
--- a/lib/strtoofft.c
+++ b/lib/strtoofft.c
@@ -221,6 +221,7 @@ CURLofft curlx_strtoofft(const char *str, char **endp, int base,
   curl_off_t number;
   errno = 0;
   *num = 0; /* clear by default */
+  DEBUGASSERT(base); /* starting now, avoid base zero */
 
   while(*str && ISBLANK(*str))
     str++;
diff --git a/lib/vssh/libssh.c b/lib/vssh/libssh.c
index df64441682..0869c483cb 100644
--- a/lib/vssh/libssh.c
+++ b/lib/vssh/libssh.c
@@ -1663,13 +1663,13 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block)
           CURLofft to_t;
           CURLofft from_t;
 
-          from_t = curlx_strtoofft(data->state.range, &ptr, 0, &from);
+          from_t = curlx_strtoofft(data->state.range, &ptr, 10, &from);
           if(from_t == CURL_OFFT_FLOW) {
             return CURLE_RANGE_ERROR;
           }
           while(*ptr && (ISBLANK(*ptr) || (*ptr == '-')))
             ptr++;
-          to_t = curlx_strtoofft(ptr, &ptr2, 0, &to);
+          to_t = curlx_strtoofft(ptr, &ptr2, 10, &to);
           if(to_t == CURL_OFFT_FLOW) {
             return CURLE_RANGE_ERROR;
           }
diff --git a/lib/vssh/libssh2.c b/lib/vssh/libssh2.c
index 2211213e30..338062366b 100644
--- a/lib/vssh/libssh2.c
+++ b/lib/vssh/libssh2.c
@@ -2503,12 +2503,12 @@ static CURLcode ssh_statemach_act(struct Curl_easy *data, bool *block)
           CURLofft to_t;
           CURLofft from_t;
 
-          from_t = curlx_strtoofft(data->state.range, &ptr, 0, &from);
+          from_t = curlx_strtoofft(data->state.range, &ptr, 10, &from);
           if(from_t == CURL_OFFT_FLOW)
             return CURLE_RANGE_ERROR;
           while(*ptr && (ISBLANK(*ptr) || (*ptr == '-')))
             ptr++;
-          to_t = curlx_strtoofft(ptr, &ptr2, 0, &to);
+          to_t = curlx_strtoofft(ptr, &ptr2, 10, &to);
           if(to_t == CURL_OFFT_FLOW)
             return CURLE_RANGE_ERROR;
           if((to_t == CURL_OFFT_INVAL) /* no "to" value given */
diff --git a/src/tool_getparam.c b/src/tool_getparam.c
index d899a9263b..0beb94572c 100644
--- a/src/tool_getparam.c
+++ b/src/tool_getparam.c
@@ -502,7 +502,7 @@ static ParameterError GetSizeParameter(struct GlobalConfig *global,
   char *unit;
   curl_off_t value;
 
-  if(curlx_strtoofft(arg, &unit, 0, &value)) {
+  if(curlx_strtoofft(arg, &unit, 10, &value)) {
     warnf(global, "invalid number specified for %s\n", which);
     return PARAM_BAD_USE;
   }
diff --git a/src/tool_paramhlp.c b/src/tool_paramhlp.c
index acf34ac24d..ae9fb1377a 100644
--- a/src/tool_paramhlp.c
+++ b/src/tool_paramhlp.c
@@ -473,7 +473,7 @@ ParameterError str2offset(curl_off_t *val, const char *str)
 
 #if(SIZEOF_CURL_OFF_T > SIZEOF_LONG)
   {
-    CURLofft offt = curlx_strtoofft(str, &endptr, 0, val);
+    CURLofft offt = curlx_strtoofft(str, &endptr, 10, val);
     if(CURL_OFFT_FLOW == offt)
       return PARAM_NUMBER_TOO_LARGE;
     else if(CURL_OFFT_INVAL == offt)