diff -ru dnsdist-2.0.3.orig/ext/yahttp/yahttp/reqresp.cpp dnsdist-2.0.3.CVE-2026-33257/ext/yahttp/yahttp/reqresp.cpp --- dnsdist-2.0.3.orig/ext/yahttp/yahttp/reqresp.cpp 2026-03-13 16:12:38.000000000 +0100 +++ dnsdist-2.0.3.CVE-2026-33257/ext/yahttp/yahttp/reqresp.cpp 2026-04-03 15:50:54.263742538 +0200 @@ -175,20 +175,23 @@ buffer.copy(buf, pos); buf[pos]=0; // just in case... buffer.erase(buffer.begin(), buffer.begin()+pos+1); // remove line from buffer - if (sscanf(buf, "%x", &chunk_size) != 1) { + if (sscanf(buf, "%zx", &chunk_size) != 1) { throw ParseError("Unable to parse chunk size"); } if (chunk_size == 0) { state = 3; break; } // last chunk - if (chunk_size > (std::numeric_limits::max() - 2)) { + if (chunk_size > (std::numeric_limits::max() - 2) || chunk_size > maxbody) { throw ParseError("Chunk is too large"); } } else { int crlf=1; - if (buffer.size() < static_cast(chunk_size+1)) return false; // expect newline + if (buffer.size() < chunk_size+1) return false; // expect newline if (buffer.at(chunk_size) == '\r') { - if (buffer.size() < static_cast(chunk_size+2) || buffer.at(chunk_size+1) != '\n') return false; // expect newline after carriage return + if (buffer.size() < chunk_size+2 || buffer.at(chunk_size+1) != '\n') return false; // expect newline after carriage return crlf=2; } else if (buffer.at(chunk_size) != '\n') return false; + if (bodybuf.str().length() + chunk_size > maxbody) { + throw ParseError("Chunked body is too large"); + } std::string tmp = buffer.substr(0, chunk_size); buffer.erase(buffer.begin(), buffer.begin()+chunk_size+crlf); bodybuf << tmp; diff -ru dnsdist-2.0.3.orig/ext/yahttp/yahttp/reqresp.hpp dnsdist-2.0.3.CVE-2026-33257/ext/yahttp/yahttp/reqresp.hpp --- dnsdist-2.0.3.orig/ext/yahttp/yahttp/reqresp.hpp 2026-03-13 16:12:38.000000000 +0100 +++ dnsdist-2.0.3.CVE-2026-33257/ext/yahttp/yahttp/reqresp.hpp 2026-04-03 15:50:54.263799436 +0200 @@ -301,7 +301,7 @@ std::string buffer; //