From 68aa51c3b7c234828b6b26a7455e62c39ae4a1a8 Mon Sep 17 00:00:00 2001
From: 0xcaphe <0xcaphe@proton.me>
Date: Fri, 27 Mar 2026 21:35:33 -0600
Subject: [PATCH] fix: Validate extended payload length

- Reject payload_length > 64MB in ws_read_frame_length to prevent
  frame_length integer overflow and downstream memcpy heap corruption
- Move is_masking check above !is_fin early return to close FIN=0 bypass
---
 src/websocket.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/websocket.c b/src/websocket.c
index 3437deff..76affbab 100644
--- a/src/websocket.c
+++ b/src/websocket.c
@@ -547,6 +547,11 @@ ws_status ws_read_frame_length(ws_t self) {
       payload_length <<= 8;
       payload_length |= (unsigned char)*in_head++;
     }
+    if (payload_length > (1ULL << 26)) {
+      return self->on_error(self, 
+      "Extended payload_length %zu exceeds server limit",
+    payload_length); 
+    }
   }
   my->frame_length = 2 + payload_n + (is_masking ? 4 : 0) + payload_length;