From 5aa0a0d0992a412a0d2544dad1e2aea90fcfbe18 Mon Sep 17 00:00:00 2001
From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
Date: Tue, 22 Apr 2014 23:20:33 +0900
Subject: [PATCH] Check protocol length so that scanner don't overrun buffer

---
 lib/nghttp2_npn.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/lib/nghttp2_npn.c b/lib/nghttp2_npn.c
index 78b6cfa3..d3aa71d8 100644
--- a/lib/nghttp2_npn.c
+++ b/lib/nghttp2_npn.c
@@ -33,12 +33,14 @@ int nghttp2_select_next_protocol(unsigned char **out, unsigned char *outlen,
   unsigned int i = 0;
   for(; i < inlen; i += in[i]+1) {
     if(in[i] == NGHTTP2_PROTO_VERSION_ID_LEN &&
+       i + 1 + in[i] <= inlen &&
        memcmp(&in[i+1], NGHTTP2_PROTO_VERSION_ID, in[i]) == 0) {
       *out = (unsigned char*)&in[i+1];
       *outlen = in[i];
       return 1;
     }
-    if(in[i] == 8 && memcmp(&in[i+1], "http/1.1", in[i]) == 0) {
+    if(in[i] == 8 && i + 1 + in[i] <= inlen &&
+       memcmp(&in[i+1], "http/1.1", in[i]) == 0) {
       http_selected = 1;
       *out = (unsigned char*)&in[i+1];
       *outlen = in[i];