* [FFmpeg-devel] [PR] libavformat/http: reject HTTP header lines exceeding buffer size (PR #21392)
@ 2026-01-06 12:52 rcx86 via ffmpeg-devel
0 siblings, 0 replies; only message in thread
From: rcx86 via ffmpeg-devel @ 2026-01-06 12:52 UTC (permalink / raw)
To: ffmpeg-devel; +Cc: rcx86
PR #21392 opened by rcx86
URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21392
Patch URL: https://code.ffmpeg.org/FFmpeg/FFmpeg/pulls/21392.patch
Overly long HTTP header lines were silently truncated. A malicious
server could exploit this to cause parsing issues or other unexpected
behavior.
>From a58623aef1677fdab028010325cfbb247c78d648 Mon Sep 17 00:00:00 2001
From: HACKE-RC <60568652+HACKE-RC@users.noreply.github.com>
Date: Mon, 29 Dec 2025 22:19:59 +0530
Subject: [PATCH] libavformat/http: reject HTTP header lines exceeding buffer
size
Overly long HTTP header lines were silently truncated. A malicious
server could exploit this to cause parsing issues or other unexpected
behavior.
---
libavformat/http.c | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/libavformat/http.c b/libavformat/http.c
index bd25a45636..422b1ecec5 100644
--- a/libavformat/http.c
+++ b/libavformat/http.c
@@ -827,6 +827,7 @@ static int http_get_line(HTTPContext *s, char *line, int line_size)
{
int ch;
char *q;
+ int too_long = 0;
q = line;
for (;;) {
@@ -839,10 +840,20 @@ static int http_get_line(HTTPContext *s, char *line, int line_size)
q--;
*q = '\0';
+ if (too_long) {
+ av_log(s, AV_LOG_ERROR,
+ "HTTP header line exceeds buffer size (%d); rejecting\n",
+ line_size);
+ return AVERROR_INVALIDDATA;
+ }
+
return 0;
} else {
- if ((q - line) < line_size - 1)
+ if ((q - line) < line_size - 1) {
*q++ = ch;
+ } else {
+ too_long = 1;
+ }
}
}
}
@@ -1659,7 +1670,8 @@ static int http_buf_read(URLContext *h, uint8_t *buf, int size)
s->chunksize);
if (!s->chunksize && s->multiple_requests) {
- http_get_line(s, line, sizeof(line)); // read empty chunk
+ if ((err = http_get_line(s, line, sizeof(line))) < 0)
+ return err;
s->chunkend = 1;
return 0;
}
--
2.49.1
_______________________________________________
ffmpeg-devel mailing list -- ffmpeg-devel@ffmpeg.org
To unsubscribe send an email to ffmpeg-devel-leave@ffmpeg.org
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2026-01-06 12:52 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-01-06 12:52 [FFmpeg-devel] [PR] libavformat/http: reject HTTP header lines exceeding buffer size (PR #21392) rcx86 via ffmpeg-devel
Git Inbox Mirror of the ffmpeg-devel mailing list - see https://ffmpeg.org/mailman/listinfo/ffmpeg-devel
This inbox may be cloned and mirrored by anyone:
git clone --mirror https://master.gitmailbox.com/ffmpegdev/0 ffmpegdev/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 ffmpegdev ffmpegdev/ https://master.gitmailbox.com/ffmpegdev \
ffmpegdev@gitmailbox.com
public-inbox-index ffmpegdev
Example config snippet for mirrors.
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git