Hans Leidekker : winhttp: Validate the port number in WinHttpCrackUrl.

[Alexandre Julliard]

Module: wine
Branch: master
Commit: 17b4abf47f369a056401abc3b9e60f9c94e4eb5f
URL:    http://source.winehq.org/git/wine.git/?a=commit;h=17b4abf47f369a056401abc3b9e60f9c94e4eb5f

Author: Hans Leidekker <hans at codeweavers.com>
Date:   Tue Aug 16 12:30:02 2016 +0200

winhttp: Validate the port number in WinHttpCrackUrl.

Signed-off-by: Hans Leidekker <hans at codeweavers.com>
Signed-off-by: Alexandre Julliard <julliard at winehq.org>

---

 dlls/winhttp/tests/url.c | 22 ++++++++++++++++++++++
 dlls/winhttp/url.c       | 19 ++++++++++++++++---
 2 files changed, 38 insertions(+), 3 deletions(-)

diff --git a/dlls/winhttp/tests/url.c b/dlls/winhttp/tests/url.c
index ec6dbd0..27979f6 100644
--- a/dlls/winhttp/tests/url.c
+++ b/dlls/winhttp/tests/url.c
@@ -69,6 +69,9 @@ static const WCHAR url12[] =
 static const WCHAR url13[] =
     {'h','t','t','p',':','/','/','w','i','n','e','h','q','.','o',' ','g','/','p','a','t','h',' ','w','i','t','h',' ','s','p','a','c','e','s',0};
 static const WCHAR url14[] = {'h','t','t','p',':','/','/','w','w','w','.','w','i','n','e','h','q','.','o','r','g','/','t','e','s','t',0};
+static const WCHAR url15[] = {'h','t','t','p',':','/','/','w','i','n','e','h','q','.','o','r','g',':','6','5','5','3','6',0};
+static const WCHAR url16[] = {'h','t','t','p',':','/','/','w','i','n','e','h','q','.','o','r','g',':','0',0};
+static const WCHAR url17[] = {'h','t','t','p',':','/','/','w','i','n','e','h','q','.','o','r','g',':',0};
 
 static const WCHAR url_k1[]  =
     {'h','t','t','p',':','/','/','u','s','e','r','n','a','m','e',':','p','a','s','s','w','o','r','d',
@@ -718,6 +721,25 @@ static void WinHttpCrackUrl_test( void )
     ok( uc.dwUrlPathLength == 0, "unexpected length %u\n", uc.dwUrlPathLength );
     ok( !uc.lpszExtraInfo, "unexpected extra info %s\n", wine_dbgstr_w(uc.lpszExtraInfo) );
     ok( uc.dwExtraInfoLength == 0, "unexpected length %u\n", uc.dwExtraInfoLength );
+
+    reset_url_components( &uc );
+    SetLastError( 0xdeadbeef );
+    ret = WinHttpCrackUrl( url15, 0, 0, &uc );
+    error = GetLastError();
+    ok( !ret, "WinHttpCrackUrl succeeded\n" );
+    ok( error == ERROR_WINHTTP_INVALID_URL, "got %u\n", error );
+
+    reset_url_components( &uc );
+    uc.nPort = 1;
+    ret = WinHttpCrackUrl( url16, 0, 0, &uc );
+    ok( ret, "got %u\n", GetLastError() );
+    ok( !uc.nPort, "got %u\n", uc.nPort );
+
+    reset_url_components( &uc );
+    uc.nPort = 1;
+    ret = WinHttpCrackUrl( url17, 0, 0, &uc );
+    ok( ret, "got %u\n", GetLastError() );
+    todo_wine ok( uc.nPort == 80, "got %u\n", uc.nPort );
 }
 
 START_TEST(url)
diff --git a/dlls/winhttp/url.c b/dlls/winhttp/url.c
index 2b479a9..8888b8f 100644
--- a/dlls/winhttp/url.c
+++ b/dlls/winhttp/url.c
@@ -163,6 +163,19 @@ static WCHAR *escape_url( LPCWSTR url, DWORD *len )
     return ret;
 }
 
+static DWORD parse_port( const WCHAR *str, DWORD len, INTERNET_PORT *ret )
+{
+    const WCHAR *p = str;
+    DWORD port = 0;
+    while (len && isdigitW( *p ))
+    {
+        if ((port = port * 10 + *p - '0') > 65535) return ERROR_WINHTTP_INVALID_URL;
+        p++; len--;
+    }
+    *ret = port;
+    return ERROR_SUCCESS;
+}
+
 /***********************************************************************
  *          WinHttpCrackUrl (winhttp.@)
  */
@@ -172,7 +185,7 @@ BOOL WINAPI WinHttpCrackUrl( LPCWSTR url, DWORD len, DWORD flags, LPURL_COMPONEN
     DWORD err, scheme_len, user_len, passwd_len, host_len, path_len, extra_len;
     INTERNET_SCHEME scheme = 0;
 
-    TRACE("%s, %d, %x, %p\n", debugstr_w(url), len, flags, uc);
+    TRACE("%s, %d, %x, %p\n", debugstr_wn(url, len), len, flags, uc);
 
     if (!url || !uc || uc->dwStructSize != sizeof(URL_COMPONENTS))
     {
@@ -258,7 +271,7 @@ BOOL WINAPI WinHttpCrackUrl( LPCWSTR url, DWORD len, DWORD flags, LPURL_COMPONEN
         {
             if ((err = set_component( &uc->lpszHostName, &host_len, p, r - p, flags ))) goto exit;
             r++;
-            uc->nPort = atoiW( r );
+            if ((err = parse_port( r, q - r, &uc->nPort ))) goto exit;
         }
         else
         {
@@ -284,7 +297,7 @@ BOOL WINAPI WinHttpCrackUrl( LPCWSTR url, DWORD len, DWORD flags, LPURL_COMPONEN
         {
             if ((err = set_component( &uc->lpszHostName, &host_len, p, r - p, flags ))) goto exit;
             r++;
-            uc->nPort = atoiW( r );
+            if ((err = parse_port( r, len - (r - url), &uc->nPort ))) goto exit;
         }
         else
         {