libvncserver: fix NULL pointer dereferences in httpd proxy handlers

httpProcessInput() passes the return value of strchr() to atoi()
and strncmp() without checking for NULL. If a CONNECT request
contains no colon, or a GET request contains no slash, strchr()
returns NULL, leading to a segmentation fault.

Add NULL checks before using the strchr() return values.

Author: y637F9QQ2x

src/libvncserver/httpd.c

@@ -353,10 +353,11 @@ httpProcessInput(rfbScreenInfoPtr rfbScreen)
 
 
     /* Process the request. */
-    if(rfbScreen->httpEnableProxyConnect) {
+if(rfbScreen->httpEnableProxyConnect) {
 	const static char* PROXY_OK_STR = "HTTP/1.0 200 OK\r\nContent-Type: octet-stream\r\nPragma: no-cache\r\n\r\n";
 	if(!strncmp(buf, "CONNECT ", 8)) {
-	    if(atoi(strchr(buf, ':')+1)!=rfbScreen->port) {
+	    char *colon = strchr(buf, ':');
+	    if(colon == NULL || atoi(colon+1)!=rfbScreen->port) {
 		rfbErr("httpd: CONNECT format invalid.\n");
 		rfbWriteExact(&cl,INVALID_REQUEST_STR, strlen(INVALID_REQUEST_STR));
 		httpCloseSock(rfbScreen);
@@ -369,14 +370,17 @@ httpProcessInput(rfbScreenInfoPtr rfbScreen)
 	    rfbScreen->httpSock = RFB_INVALID_SOCKET;
 	    return;
 	}
-	if (!strncmp(buf, "GET ",4) && !strncmp(strchr(buf,'/'),"/proxied.connection HTTP/1.", 27)) {
-	    /* proxy connection */
-	    rfbLog("httpd: client asked for /proxied.connection\n");
-	    rfbWriteExact(&cl,PROXY_OK_STR,strlen(PROXY_OK_STR));
-	    rfbNewClientConnection(rfbScreen,rfbScreen->httpSock);
-	    rfbScreen->httpSock = RFB_INVALID_SOCKET;
-	    return;
-	}	   
+	if (!strncmp(buf, "GET ",4)) {
+	    char *slash = strchr(buf, '/');
+	    if (slash != NULL && !strncmp(slash,"/proxied.connection HTTP/1.", 27)) {
+		/* proxy connection */
+		rfbLog("httpd: client asked for /proxied.connection\n");
+		rfbWriteExact(&cl,PROXY_OK_STR,strlen(PROXY_OK_STR));
+		rfbNewClientConnection(rfbScreen,rfbScreen->httpSock);
+		rfbScreen->httpSock = RFB_INVALID_SOCKET;
+		return;
+	    }
+	}
     }
 
     if (strncmp(buf, "GET ", 4)) {