From 6f1dfab6a29242525cdc7b48f5ee49269b9cc316 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 11 May 2026 00:18:53 +0200
Subject: [PATCH] ftp: avoid accessing EPSV response one byte past the NULL

If the response is just a single "(".

Reported-by: Andrew Nesbit
Closes #21545
---
 lib/ftp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/ftp.c b/lib/ftp.c
index 17cedb3353..3f55f68d82 100644
--- a/lib/ftp.c
+++ b/lib/ftp.c
@@ -2073,7 +2073,7 @@ static CURLcode ftp_state_pasv_resp(struct Curl_easy *data,
       ptr++;
       /* |||12345| */
       sep = ptr[0];
-      if((ptr[1] == sep) && (ptr[2] == sep) && ISDIGIT(ptr[3])) {
+      if(sep && (ptr[1] == sep) && (ptr[2] == sep) && ISDIGIT(ptr[3])) {
         const char *p = &ptr[3];
         curl_off_t num;
         if(curlx_str_number(&p, &num, 0xffff) || (*p != sep)) {