Kayos
bfd06d1ef3
Two adversarial bugs surfaced by the round-2 audit on this crate. extract_video_id recursion (linkhandler/stream.rs) /attribution_link?u=<inner> recursed on the inner URL with no depth guard. The comment claimed 'only one level deep' but the call was plain recursion — a pasted URL whose u= param decodes to another /attribution_link would recurse until the JVM stack blew. Wrap the recursion in extract_video_id_inner with an explicit depth counter capped at MAX_ATTRIBUTION_DEPTH = 1. ReqwestDownloader body cap (downloader/default_impl.rs) resp.text() read the entire response body into a String with no upper bound. Player.js is ~1.5 MB, watch HTML ~3 MB, channel responses well under 1 MB. A hostile redirect target (or compromised host) could blast multi-GB and OOM-kill the Android process — there is no headroom on a 1 GB JVM heap ceiling. Cap at 32 MB. Two-stage check: bail fast on a known Content-Length that exceeds the cap, and use Read::take(MAX+1) on the stream so we detect overrun rather than silently truncate. Switched the final decode to from_utf8_lossy so a single mojibake byte doesn't drop the whole response (same fix shape as the wrapper's read_capped_body). |
||
|---|---|---|
| .. | ||
| downloader | ||
| stream | ||
| youtube | ||
| exceptions.rs | ||
| image.rs | ||
| lib.rs | ||
| localization.rs | ||
| newpipe.rs | ||