curl: Heap Buffer Over-read in lib/http2.c (on_header) handling PUSH_PROMISE frames
Summary: I have discovered a Heap Buffer Over-read vulnerability in lib/http2.c within the onheader callback function. When processing HTTP/2 PUSHPROMISE frames, the code incorrectly uses the %s format specifier on raw pointers provided by nghttp2. According to nghttp2 documentation, the name and...