roytam1/UXP
1
0
Fork 0
mirror of https://github.com/roytam1/UXP.git synced 2026-05-29 08:54:28 +00:00
Code Issues Projects Releases Wiki Activity

Make HTTP/2 compressor more resilient to bad data.

Browse Source
This commit is contained in:
wolfbeast
2018-11-01 07:31:23 +01:00
committed by Roy Tam
parent eb83cf3ac8
commit a85f7277af
1 changed files with 23 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
netwerk/protocol/http/Http2Compression.cpp
+23 -3
View File
@@ -402,7 +402,7 @@ Http2Decompressor::DecodeHeaderBlock(const uint8_t *data, uint32_t datalen,
nsresult rv = NS_OK;
nsresult softfail_rv = NS_OK;
while (NS_SUCCEEDED(rv) && (mOffset < datalen)) {
while (NS_SUCCEEDED(rv) && (mOffset < mDataLen)) {
bool modifiesTable = true;
if (mData[mOffset] & 0x80) {
rv = DoIndexed();
@@ -684,6 +684,11 @@ nsresult
Http2Decompressor::DecodeFinalHuffmanCharacter(const HuffmanIncomingTable *table,
uint8_t &c, uint8_t &bitsLeft)
{
MOZ_ASSERT(mOffset <= mDataLen);
if (mOffset > mDataLen) {
NS_WARNING("DecodeFinalHuffmanCharacter trying to read beyond end of buffer");
return NS_ERROR_FAILURE;
}
uint8_t mask = (1 << bitsLeft) - 1;
uint8_t idx = mData[mOffset - 1] & mask;
idx <<= (8 - bitsLeft);
@@ -721,6 +726,7 @@ Http2Decompressor::DecodeFinalHuffmanCharacter(const HuffmanIncomingTable *table
uint8_t
Http2Decompressor::ExtractByte(uint8_t bitsLeft, uint32_t &bytesConsumed)
{
MOZ_DIAGNOSTIC_ASSERT(mOffset < mDataLen);
uint8_t rv;
if (bitsLeft) {
@@ -750,8 +756,8 @@ Http2Decompressor::DecodeHuffmanCharacter(const HuffmanIncomingTable *table,
uint8_t idx = ExtractByte(bitsLeft, bytesConsumed);
if (table->IndexHasANextTable(idx)) {
if (bytesConsumed >= mDataLen) {
if (!bitsLeft || (bytesConsumed > mDataLen)) {
if (mOffset >= mDataLen) {
if (!bitsLeft || (mOffset > mDataLen)) {
// TODO - does this get me into trouble in the new world?
// No info left in input to try to consume, we're done
LOG(("DecodeHuffmanCharacter all out of bits to consume, can't chain"));
@@ -892,6 +898,13 @@ Http2Decompressor::DoLiteralInternal(nsACString &name, nsACString &value,
return rv;
}
// sanity check
if (mOffset >= mDataLen) {
NS_WARNING("Http2 Decompressor ran out of data");
// This is session-fatal
return NS_ERROR_FAILURE;
}
bool isHuffmanEncoded;
if (!index) {
@@ -919,6 +932,13 @@ Http2Decompressor::DoLiteralInternal(nsACString &name, nsACString &value,
return rv;
}
// sanity check
if (mOffset >= mDataLen) {
NS_WARNING("Http2 Decompressor ran out of data");
// This is session-fatal
return NS_ERROR_FAILURE;
}
// now the value
uint32_t valueLen;
isHuffmanEncoded = mData[mOffset] & (1 << 7);