[tomcat] branch 8.5.x updated: 65340: Fix NegativeArraySizeException exception in hpack decoder

Thu, 03 Jun 2021 02:06:32 -0700 

This is an automated email from the ASF dual-hosted git repository.

remm pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/8.5.x by this push:
     new b90ed2f  65340: Fix NegativeArraySizeException exception in hpack 
decoder
b90ed2f is described below

commit b90ed2f58ad781cb1b9aa58d91243ded00a0bb83
Author: remm <r...@apache.org>
AuthorDate: Thu Jun 3 10:53:21 2021 +0200

    65340: Fix NegativeArraySizeException exception in hpack decoder
    
    Submitted by Thomas.
---
 java/org/apache/coyote/http2/HpackDecoder.java | 2 +-
 webapps/docs/changelog.xml                     | 7 +++++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/java/org/apache/coyote/http2/HpackDecoder.java 
b/java/org/apache/coyote/http2/HpackDecoder.java
index 517dc0b..02802ad 100644
--- a/java/org/apache/coyote/http2/HpackDecoder.java
+++ b/java/org/apache/coyote/http2/HpackDecoder.java
@@ -213,7 +213,7 @@ public class HpackDecoder {
         byte data = buffer.get(buffer.position());
 
         int length = Hpack.decodeInteger(buffer, 7);
-        if (buffer.remaining() < length) {
+        if (buffer.remaining() < length || length == -1) {
             return null;
         }
         boolean huffman = (data & 0b10000000) != 0;
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 9cd71f5..8be9dfb 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -169,6 +169,13 @@
       <update>
         Simplify AprEndpoint socket bind for all platforms. (michaelo)
       </update>
+      <fix>
+        <bug>65340</bug>: Add missing check for a negative return value for
+        <code>Hpack.decodeInteger</code> in the <code>HpackDecoder</code>,
+        which could cause a <code>NegativeArraySizeException</code> exception.
+        Submitted by Thomas, and verified the fix is present in the donated
+        hpack code in a further update. (remm)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Jasper">

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to