From 36048e8fef019c5be938f8a688845b6eef1d46ab Mon Sep 17 00:00:00 2001
From: Timo Teräs <timo.teras@iki.fi>
Date: Fri, 16 Jul 2021 10:54:08 +0300
Subject: libfetch: fix range checking for http/ftp protocol parsing

Various parsing of numeric strings were not having adequate range
checking causing information leak or potential crash.

CVE-2021-36159
fixes #10749

Co-authored-by: Ariadne Conill <ariadne@dereferenced.org>
Reported-by: Samanta Navarro <ferivoz@riseup.net>
---
 libfetch/fetch.c | 15 ++++++---------
 1 file changed, 6 insertions(+), 9 deletions(-)

(limited to 'libfetch/fetch.c')

diff --git a/libfetch/fetch.c b/libfetch/fetch.c
index a0d4dbd..45c92aa 100644
--- a/libfetch/fetch.c
+++ b/libfetch/fetch.c
@@ -473,15 +473,12 @@ find_user:
 
 	/* port */
 	if (*p == ':') {
-		for (q = ++p; *q && (*q != '/'); q++)
-			if (isdigit((unsigned char)*q))
-				u->port = u->port * 10 + (*q - '0');
-			else {
-				/* invalid port */
-				url_seterr(URL_BAD_PORT);
-				goto ouch;
-			}
-		p = q;
+		u->port = fetch_parseuint(p + 1, &p, 10, IPPORT_MAX);
+		if (*p && *p != '/') {
+			/* invalid port */
+			url_seterr(URL_BAD_PORT);
+			goto ouch;
+		}
 	}
 
 	/* document */
-- 
cgit v1.2.3-60-g2f50