LibHTTP: Fix buffer overflow when body is larger than the Content-Length

(Actually, this also needs a Content-Encoding header, as response streaming is disabled then. It didn't fit in the title.) We were creating too small buffer -- instead of assigning the total received buffer size, we were using the Content-Length value. As you can see, the m_buffered_size might now exceed the Content-Length value, but that will be handled in next commits, regardless if the response can be streamed or not. :^) Here's a minimal code that caused crash before: printf 'HTTP/1.0 200 OK\r\n%s\r\n%s\r\n\r\n%s' \ 'Content-Encoding: anything' 'Content-Length: 3' \ ':^)AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' | nc -lN 0.0.0.0 8000 pro http://0.0.0.0:8000
2025-07-26 12:37:45 +00:00 · 2021-10-16 01:40:43 +02:00 · 2021-10-16 01:40:43 +02:00 · 71f663b205
commit 71f663b205
parent 87bd98fe8e
1 changed files with 1 additions and 1 deletions
--- a/Userland/Libraries/LibHTTP/Job.cpp
+++ b/Userland/Libraries/LibHTTP/Job.cpp
@ -383,7 +383,7 @@ void Job::finish_up()
    VERIFY(!m_has_scheduled_finish);
    m_state = State::Finished;
    if (!m_can_stream_response) {
-        auto flattened_buffer = ByteBuffer::create_uninitialized(m_received_size).release_value(); // FIXME: Handle possible OOM situation.
+        auto flattened_buffer = ByteBuffer::create_uninitialized(m_buffered_size).release_value(); // FIXME: Handle possible OOM situation.
        u8* flat_ptr = flattened_buffer.data();
        for (auto& received_buffer : m_received_buffers) {
            memcpy(flat_ptr, received_buffer.data(), received_buffer.size());