noproxy: test bad ipv6 net size first

No need to parse anything if the size is out of range.

Added some tests to this effect to test 1614.

Closes #13902

lib/noproxy.c

@@ -89,12 +89,12 @@ UNITTEST bool Curl_cidr6_match(const char *ipv6,
 
   bytes = bits / 8;
   rest = bits & 0x07;
+  if((bytes > 16) || ((bytes == 16) && rest))
+    return FALSE;
   if(1 != Curl_inet_pton(AF_INET6, ipv6, address))
     return FALSE;
   if(1 != Curl_inet_pton(AF_INET6, network, check))
     return FALSE;
-  if((bytes > 16) || ((bytes == 16) && rest))
-    return FALSE;
   if(bytes && memcmp(address, check, bytes))
     return FALSE;
   if(rest && !((address[bytes] ^ check[bytes]) & (0xff << (8 - rest))))
@@ -231,6 +231,8 @@ bool Curl_check_noproxy(const char *name, const char *no_proxy)
           slash = strchr(check, '/');
           /* if the slash is part of this token, use it */
           if(slash) {
+            /* if the bits variable gets a crazy value here, that is fine as
+               the value will then be rejected in the cidr function */
             bits = (unsigned int)atoi(slash + 1);
             *slash = 0; /* null terminate there */
           }

tests/unit/unit1614.c

@@ -110,10 +110,14 @@ UNITTEST_START
     { "192.168.0.1", "192.168.0.0/32", FALSE},
     { "192.168.0.1", "192.168.0.0", FALSE},
     { "192.168.1.1", "192.168.0.0/24", FALSE},
+    { "192.168.1.1", "192.168.0.0/33", FALSE},
     { "192.168.1.1", "foo, bar, 192.168.0.0/24", FALSE},
     { "192.168.1.1", "foo, bar, 192.168.0.0/16", TRUE},
     { "[::1]", "foo, bar, 192.168.0.0/16", FALSE},
     { "[::1]", "foo, bar, ::1/64", TRUE},
+    { "[::1]", "::1/64", TRUE},
+    { "[::1]", "::1/96", TRUE},
+    { "[::1]", "::1/129", FALSE},
     { "bar", "foo, bar, ::1/64", TRUE},
     { "BAr", "foo, bar, ::1/64", TRUE},
     { "BAr", "foo,,,,,              bar, ::1/64", TRUE},