You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by re...@apache.org on 2021/06/03 09:06:21 UTC

[tomcat] branch 9.0.x updated: 65340: Fix NegativeArraySizeException exception in hpack decoder

This is an automated email from the ASF dual-hosted git repository.

remm pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/9.0.x by this push:
     new 56c256a  65340: Fix NegativeArraySizeException exception in hpack decoder
56c256a is described below

commit 56c256a5969489ef6731f0f1c1726f8c2184c44b
Author: remm <re...@apache.org>
AuthorDate: Thu Jun 3 10:53:21 2021 +0200

    65340: Fix NegativeArraySizeException exception in hpack decoder
    
    Submitted by Thomas.
---
 java/org/apache/coyote/http2/HpackDecoder.java | 2 +-
 webapps/docs/changelog.xml                     | 7 +++++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/java/org/apache/coyote/http2/HpackDecoder.java b/java/org/apache/coyote/http2/HpackDecoder.java
index 517dc0b..02802ad 100644
--- a/java/org/apache/coyote/http2/HpackDecoder.java
+++ b/java/org/apache/coyote/http2/HpackDecoder.java
@@ -213,7 +213,7 @@ public class HpackDecoder {
         byte data = buffer.get(buffer.position());
 
         int length = Hpack.decodeInteger(buffer, 7);
-        if (buffer.remaining() < length) {
+        if (buffer.remaining() < length || length == -1) {
             return null;
         }
         boolean huffman = (data & 0b10000000) != 0;
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index f26eaf9..b2074d0 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -181,6 +181,13 @@
       <fix>
         Optimize NIO selector handling for Java 11. (remm)
       </fix>
+      <fix>
+        <bug>65340</bug>: Add missing check for a negative return value for
+        <code>Hpack.decodeInteger</code> in the <code>HpackDecoder</code>,
+        which could cause a <code>NegativeArraySizeException</code> exception.
+        Submitted by Thomas, and verified the fix is present in the donated
+        hpack code in a further update. (remm)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Jasper">

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org