libfetch: fix range checking for http/ftp protocol parsing

Various parsing of numeric strings were not having adequate range
checking causing information leak or potential crash.

CVE-2021-36159
fixes #10749

Co-authored-by: Ariadne Conill <ariadne@dereferenced.org>
Reported-by: Samanta Navarro <ferivoz@riseup.net>

1 files changed, 24 insertions, 0 deletions

diff --git a/libfetch/common.c b/libfetch/common.c
index bcba889..01c5f2b 100644
--- a/libfetch/common.c
+++ b/libfetch/common.c
@@ -171,6 +171,30 @@ fetch_info(const char *fmt, ...)
 
 /*** Network-related utility functions ***************************************/
 
+uintmax_t
+fetch_parseuint(const char *str, const char **endptr, int radix, uintmax_t max)
+{
+	uintmax_t val = 0, maxx = max / radix, d;
+	const char *p;
+
+	for (p = str; isxdigit((unsigned char)*p); p++) {
+		unsigned char ch = (unsigned char)*p;
+		if (isdigit(ch))
+			d = ch - '0';
+		else	d = tolower(ch - 'a');
+		if (d > radix || val > maxx) goto err;
+		val *= radix;
+		if (val > max-d) goto err;
+		val += d;
+	}
+	if (p == str || val > max) goto err;
+	*endptr = p;
+	return val;
+err:
+	*endptr = "\xff";
+	return 0;
+}
+
 /*
  * Return the default port for a scheme
  */