From: rcx86 via ffmpeg-devel <ffmpeg-devel@ffmpeg.org>
To: ffmpeg-devel@ffmpeg.org
Cc: rcx86 <code@ffmpeg.org>
Subject: [FFmpeg-devel] [PR] libavformat/http: reject HTTP header lines exceeding buffer size (PR #21392)
Date: Tue, 06 Jan 2026 12:52:12 -0000
Message-ID: <176770393273.25.4675216318011519321@4457048688e7> (raw)
PR #21392 opened by rcx86
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21392
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21392.patch
Overly long HTTP header lines were silently truncated. A malicious
server could exploit this to cause parsing issues or other unexpected
behavior.
>From a58623aef1677fdab028010325cfbb247c78d648 Mon Sep 17 00:00:00 2001
From: HACKE-RC <60568652+HACKE-RC@users.noreply.github.com>
Date: Mon, 29 Dec 2025 22:19:59 +0530
Subject: [PATCH] libavformat/http: reject HTTP header lines exceeding buffer
size
Overly long HTTP header lines were silently truncated. A malicious
server could exploit this to cause parsing issues or other unexpected
behavior.
---
libavformat/http.c | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/libavformat/http.c b/libavformat/http.c
index bd25a45636..422b1ecec5 100644
--- a/libavformat/http.c
+++ b/libavformat/http.c
@@ -827,6 +827,7 @@ static int http_get_line(HTTPContext *s, char *line, int line_size)
{
int ch;
char *q;
+ int too_long = 0;
q = line;
for (;;) {
@@ -839,10 +840,20 @@ static int http_get_line(HTTPContext *s, char *line, int line_size)
q--;
*q = '\0';
+ if (too_long) {
+ av_log(s, AV_LOG_ERROR,
+ "HTTP header line exceeds buffer size (%d); rejecting\n",
+ line_size);
+ return AVERROR_INVALIDDATA;
+ }
+
return 0;
} else {
- if ((q - line) < line_size - 1)
+ if ((q - line) < line_size - 1) {
*q++ = ch;
+ } else {
+ too_long = 1;
+ }
}
}
}
@@ -1659,7 +1670,8 @@ static int http_buf_read(URLContext *h, uint8_t *buf, int size)
s->chunksize);
if (!s->chunksize && s->multiple_requests) {
- http_get_line(s, line, sizeof(line)); // read empty chunk
+ if ((err = http_get_line(s, line, sizeof(line))) < 0)
+ return err;
s->chunkend = 1;
return 0;
}
--
2.49.1
_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org
reply other threads:[~2026-01-06 12:52 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=176770393273.25.4675216318011519321@4457048688e7 \
--to=ffmpeg-devel@ffmpeg.org \
--cc=code@ffmpeg.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git