There are several functions provided in the standard libc API set that convert ASCII numbers to integer conversions.
They are useful and easy to use, but also error-prone and quite generous in what they accept and silently swallow.
atoi
atoi() Probably the most common and basic. It converts a string to a signed integer. he is also a partner atoll() Which instead gets converted into longer ones.
Some of these problems include that they return 0 instead of error, they have no checking for under or overflow and in the atol() case the challenge is that tall There are different sizes on different platforms. Therefore neither of these can be reliably used for 64-bit numbers. They also don’t say where the numbers ended.
Using these functions opens your parser to detecting and handling errors or strange input. When we avoid these functions we write better and tighter parsers.
strtol
This ceremony, with your brothers and sisters strtool() And strtol() etc. is more capable. They have overflow detection and can detect errors – such as there being no digits to parse.
However, these functions also swallow leading spaces quite happily and they allow + or – in front of numbers. Long versions of these functions have this problem tall is not universally 64-bit and long long The problem with the version is that it is not universally available.
Detecting overflow and underflow with these functions is quite tricky, it includes Mistake And forces us to spend several extra lines of conditions on each invocation to make sure we catch them.
curl code
I think we at the curl project as well as more or less the whole world have learned over the years that it is usually better to be strict when parsing protocols and data, rather than being lenient and trying to accept many things and guess what it would be otherwise. Perhaps meant.
As a direct result of this we ensure that curl parses and interprets the data Absolutely Because that data is there to look at and as soon as we realize that the data is wrong, we make a mistake. For security and solid functionality, providing syntactically incorrect data is not accepted.
It also implies that the analysis of all numbers must be accurate, overflows and maximum allowed values must be handled correctly and conveniently, and errors must be detected. It always supports up to 64-bit numbers.
strparse
I’ve blogged before about how we implemented our own set of parsing functions in Curl, and these include number parsing.
curlx_str_number() The most used ones we have created. It parses a string and stores the value in a 64-bit variable (which is always present in curl code and is always 64-bit). It also has a maximum value argument so that it returns an error if it is too large. And of course it also produces errors like overflow etc.
This function of ours does not allow any leading spaces and certainly does not allow any prefix plus or minus. If they must be allowed, the surrounding parsing code needs to explicitly allow them.
The curlx_str_number function is probably a little slower than the functions it replaces, but I don’t think the difference is huge and the convenience and added strictness are very welcome. We write better code and parsers this way. More secure. (curlx_str number source code)
History
As of tomorrow, November 12th 2025, all those vulnerable function calls have been wiped from the curl source code. The drop seen in early 2025 was when we got rid of all strtrol() variations. Yesterday we finally got rid of the last atoi() call.
(Daily updated version of the graph.)
curlx
The function mentioned above uses the ‘curlx’ prefix. We use this prefix in curl code for functions that exist in the libcurl source code but that are also used by the curl tools – sharing the same code without being introduced by the libcurl API.
We do one thing to reduce code duplication and share code between libraries and command line tools.