* src/ne_uri.c (ne_uri_parse): Restrict the maximum allowed port to

  65535, parse the port number directly rather than via atoi().

* test/uri-tests.c (failparse): Test that an excessively long port
  number fails to parse.

src/ne_uri.c

@@ -220,23 +220,30 @@ int ne_uri_parse(const char *uri, ne_uri *parsed)
 
         parsed->host = ne_strndup(s, p - s);
 
-        if (p != pa && p + 1 != pa) {
-            p++;
+        /* Iff p and pa (=> path-abempty) differ, the optional port
+         * section is present and parsed here: */
+        if (p != pa) {
+            unsigned int port = 0;
 
-            s = p;
-            /* => s = port */
+            if (*p++ != ':') return -1;
 
-            while (p < pa) {
-                if (!(uri_lookup(*p) & URI_DIGIT))
-                    return -1;
+            /* => p = port */
 
-                p++;
-            }
+            /* port = *DIGIT
+             *
+             * Note: port can be the empty string, in which case now:
+             * p == pa and port is parsed as 0, as desired. */
+            while (p < pa && port < 65536 && (uri_lookup(*p) & URI_DIGIT) != 0)
+                port = 10*port + *p++-'0';
+
+            /* If p did not reach pa there was some non-digit present
+             * or the integer was too large, so fail. */
+            if (p != pa) return -1;
 
-            parsed->port = atoi(s);
+            parsed->port = port;
         }
 
-        s = pa;
+        s = pa; /* Next, parse path-abempty */
     }
 
     /* => s = path-abempty / path-absolute / path-rootless

test/uri-tests.c

@@ -384,6 +384,7 @@ static int failparse(void)
         "http://fish/[foo]/bar",
         "http://foo:80bar",
         "http://foo:80:80/bar",
+        "http://foo:8000000000000000000000000000000000000000000000000/bar",
         NULL
     };
     int n;