BUG/MINOR: hpack: must reject huffman literals padded with more than 7 bits

h2spec reported that we didn't check that no more than 7 bits of padding
were left after decoding an huffman-encoded literal. This is harmless but
better fix it now.

To backport to 1.8.

diff --git a/src/hpack-huff.c b/src/hpack-huff.c
index 23aa5419b015b33b515dddcb918728eea1ef0665..cbf1fa02171cc6c15408481b4745a15d5f061625 100644 (file)
--- a/src/hpack-huff.c
+++ b/src/hpack-huff.c
@@ -1518,8 +1518,12 @@ int huff_dec(const uint8_t *huff, int hlen, char *out, int olen)
 
        if (bleft > 0) {
                /* some bits were not consumed after the last code, they must
-                * match EOS (ie: all ones).
+                * match EOS (ie: all ones) and there must be 7 bits or less.
+                * (7541#5.2).
                 */
+               if (bleft > 7)
+                       return -1;
+
                if ((code & -(1 << (32 - bleft))) != (uint32_t)-(1 << (32 - bleft)))
                        return -1;
        }