PR #21392 opened by rcx86 URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21392 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21392.patch
Overly long HTTP header lines were silently truncated. A malicious server could exploit this to cause parsing issues or other unexpected behavior. >From a58623aef1677fdab028010325cfbb247c78d648 Mon Sep 17 00:00:00 2001 From: HACKE-RC <[email protected]> Date: Mon, 29 Dec 2025 22:19:59 +0530 Subject: [PATCH] libavformat/http: reject HTTP header lines exceeding buffer size Overly long HTTP header lines were silently truncated. A malicious server could exploit this to cause parsing issues or other unexpected behavior. --- libavformat/http.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/libavformat/http.c b/libavformat/http.c index bd25a45636..422b1ecec5 100644 --- a/libavformat/http.c +++ b/libavformat/http.c @@ -827,6 +827,7 @@ static int http_get_line(HTTPContext *s, char *line, int line_size) { int ch; char *q; + int too_long = 0; q = line; for (;;) { @@ -839,10 +840,20 @@ static int http_get_line(HTTPContext *s, char *line, int line_size) q--; *q = '\0'; + if (too_long) { + av_log(s, AV_LOG_ERROR, + "HTTP header line exceeds buffer size (%d); rejecting\n", + line_size); + return AVERROR_INVALIDDATA; + } + return 0; } else { - if ((q - line) < line_size - 1) + if ((q - line) < line_size - 1) { *q++ = ch; + } else { + too_long = 1; + } } } } @@ -1659,7 +1670,8 @@ static int http_buf_read(URLContext *h, uint8_t *buf, int size) s->chunksize); if (!s->chunksize && s->multiple_requests) { - http_get_line(s, line, sizeof(line)); // read empty chunk + if ((err = http_get_line(s, line, sizeof(line))) < 0) + return err; s->chunkend = 1; return 0; } -- 2.49.1 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
