Bug 1343505 r=mcmanus a=abillings
authorNicholas Hurley <hurley@mozilla.com>
Tue, 21 Mar 2017 11:49:36 +0100
changeset 379153 bd23131fffca18172575e72bd60ba8e6817a670a
parent 379152 728b0e0b8dea97cd709204df088f3fc01276a6f7
child 379154 d1a93263a03d227c390c02791f295fd5dd7d9a4c
push id1419
push userjlund@mozilla.com
push dateMon, 10 Apr 2017 20:44:07 +0000
treeherdermozilla-release@5e6801b73ef6 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersmcmanus, abillings
bugs1343505
milestone53.0
Bug 1343505 r=mcmanus a=abillings MozReview-Commit-ID: 7OPJQfzW4FU
netwerk/protocol/http/Http2Session.cpp
--- a/netwerk/protocol/http/Http2Session.cpp
+++ b/netwerk/protocol/http/Http2Session.cpp
@@ -2688,17 +2688,21 @@ Http2Session::WriteSegmentsAgain(nsAHttp
     ++mInputFrameDataRead;
 
     char *control = &mInputFrameBuffer[kFrameHeaderBytes];
     mPaddingLength = static_cast<uint8_t>(*control);
 
     LOG3(("Http2Session::WriteSegments %p stream 0x%X mPaddingLength=%d", this,
           mInputFrameID, mPaddingLength));
 
-    if (1U + mPaddingLength == mInputFrameDataSize) {
+    if (1U + mPaddingLength > mInputFrameDataSize) {
+      LOG3(("Http2Session::WriteSegments %p stream 0x%X padding too large for "
+            "frame", this, mInputFrameID));
+      RETURN_SESSION_ERROR(this, PROTOCOL_ERROR);
+    } else if (1U + mPaddingLength == mInputFrameDataSize) {
       // This frame consists entirely of padding, we can just discard it
       LOG3(("Http2Session::WriteSegments %p stream 0x%X frame with only padding",
             this, mInputFrameID));
       rv = ReadyToProcessDataFrame(DISCARDING_DATA_FRAME_PADDING);
       if (NS_FAILED(rv)) {
         return rv;
       }
     } else {