From 4235d182143369d608c436f83004ce931ebb3635 Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Sun, 3 Dec 2017 12:00:36 +0100
Subject: [PATCH] BUG/MINOR: hpack: must reject huffman literals padded with
 more than 7 bits

h2spec reported that we didn't check that no more than 7 bits of padding
were left after decoding an huffman-encoded literal. This is harmless but
better fix it now.

To backport to 1.8.
---
 src/hpack-huff.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/hpack-huff.c b/src/hpack-huff.c
index 23aa5419b..cbf1fa021 100644
--- a/src/hpack-huff.c
+++ b/src/hpack-huff.c
@@ -1518,8 +1518,12 @@ int huff_dec(const uint8_t *huff, int hlen, char *out, int olen)
 
 	if (bleft > 0) {
 		/* some bits were not consumed after the last code, they must
-		 * match EOS (ie: all ones).
+		 * match EOS (ie: all ones) and there must be 7 bits or less.
+		 * (7541#5.2).
 		 */
+		if (bleft > 7)
+			return -1;
+
 		if ((code & -(1 << (32 - bleft))) != (uint32_t)-(1 << (32 - bleft)))
 			return -1;
 	}