PR #23179 opened by michaelni URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/23179 Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/23179.patch
Reported by Franciszek Kalinowski (isec.pl / striga.ai) and Bartosz Smigielski. >From 4c955144e79199c5f0de1fc69db45af4f83cbcd8 Mon Sep 17 00:00:00 2001 From: Franciszek Kalinowski <[email protected]> Date: Tue, 19 May 2026 09:43:54 +0200 Subject: [PATCH] avformat/icecast: reject CR/LF in metadata header values Reported by Franciszek Kalinowski (isec.pl / striga.ai) and Bartosz Smigielski. --- libavformat/icecast.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libavformat/icecast.c b/libavformat/icecast.c index 3146d7f384..323d330e42 100644 --- a/libavformat/icecast.c +++ b/libavformat/icecast.c @@ -70,8 +70,14 @@ static const AVOption options[] = { static void cat_header(AVBPrint *bp, const char key[], const char value[]) { - if (NOT_EMPTY(value)) + if (NOT_EMPTY(value)) { + if (strpbrk(value, "\r\n")) { + av_log(NULL, AV_LOG_ERROR, + "Refusing to send '%s' header: value contains CR/LF\n", key); + return; + } av_bprintf(bp, "%s: %s\r\n", key, value); + } } static int icecast_close(URLContext *h) -- 2.52.0 _______________________________________________ ffmpeg-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
