Curl parse_connect_to_string Heap-Overread Leading to Denial of Service via CURLOPT_CONNECT_TO

## Summary: A heap-buffer-overread occurs in Curl's parse_connect_to_string function when using the CURLOPT_CONNECT_TO option with crafted input. This can lead to a segmentation fault and crash of the application, resulting in a denial-of-service. The issue is triggered by malformed host strings containing unexpected characters, such as newline (\n), that are not properly validated before dereferencing. ## Affected version curl 8.16.0-DEV (Linux) libcurl/8.16.0-DEV ## Steps To Reproduce: [add details for how we can reproduce the issue] 1.Compile libcurl with sanitizers enabled: ``` mkdir build && cd build CC=clang CXX=clang++ cmake .. -DCMAKE_BUILD_TYPE=Debug -DCMAKE_C_FLAGS="-g -O1 -fsanitize=address" -DBUILD_SHARED_LIBS=OFF -DBUILD_STATIC_LIBS=ON -DBUILD_TESTING=OFF -DBUILD_EXAMPLES=OFF -DENABLE_MANUAL=OFF cmake --build . --config Debug ``` 2. Build the test target ``` clang++ -g -O1 -fsanitize=address -I../include -I../src/include minimal_curl_connect_crash.cpp ./lib/libcurl-d.a -o minimal_curl_connect_crash -lpsl -ldl -lpthread -lssl -lcrypto -lz ``` 3. Run the test target ``` ./minimal_curl_connect_crash ``` ## Supporting Material/References: {F4696730} {F4696745} ## Impact ## Summary: An attacker can cause a denial-of-service (DoS) by crashing the application using a specially crafted CURLOPT_CONNECT_TO string. No code execution or data leakage is known; the primary risk is service disruption.