commit 32e69f804718b5074d6831308eb62245f768da60
author bnc <bnc@google.com> Fri Jun 14 06:38:36 2019 -0700
committer Copybara-Service <copybara-worker@google.com> Fri Jun 14 09:41:33 2019 -0700
tree 771b354eb46daf919b49a0705ee1ced2cd110ffc
parent 118934b8a030caf24704b5f8efac59ef7c927186

Stop processing QPACK Header Block Prefix if error is detected.

This fixes the crash https://crbug.com/970218 found by Clusterfuzz.

gfe-relnote: n/a, change in QUIC v99 only.
PiperOrigin-RevId: 253218848
Change-Id: I49c34deefc064bcfe3e6ff86c2975a577d4506f4

quic/core/qpack/qpack_decoder_test.cc

diff --git a/quic/core/qpack/qpack_decoder_test.cc b/quic/core/qpack/qpack_decoder_test.cc
index 9aa9d12..eabc7b9 100644
--- a/quic/core/qpack/qpack_decoder_test.cc
+++ b/quic/core/qpack/qpack_decoder_test.cc
@@ -551,6 +551,15 @@
   DecodeHeaderBlock(QuicTextUtils::HexDecode("4100"));
 }
 
+// Regression test for https://crbug.com/970218:  Decoder must stop processing
+// after a Header Block Prefix with an invalid Encoded Required Insert Count.
+TEST_P(QpackDecoderTest, DataAfterInvalidEncodedRequiredInsertCount) {
+  EXPECT_CALL(handler_, OnDecodingErrorDetected(
+                            Eq("Error decoding Required Insert Count.")));
+  // Header Block Prefix followed by some extra data.
+  DecodeHeaderBlock(QuicTextUtils::HexDecode("410000"));
+}
+
 TEST_P(QpackDecoderTest, WrappedRequiredInsertCount) {
   // Maximum dynamic table capacity is 1024.
   // MaxEntries is 1024 / 32 = 32.

quic/core/qpack/qpack_progressive_decoder.cc

diff --git a/quic/core/qpack/qpack_progressive_decoder.cc b/quic/core/qpack/qpack_progressive_decoder.cc
index 05a5fc0..5a60084 100644
--- a/quic/core/qpack/qpack_progressive_decoder.cc
+++ b/quic/core/qpack/qpack_progressive_decoder.cc
@@ -94,6 +94,10 @@
   // decoded.
   while (!prefix_decoded_) {
     prefix_decoder_->Decode(data.substr(0, 1));
+    if (error_detected_) {
+      return;
+    }
+
     data = data.substr(1);
     if (data.empty()) {
       return;