Check protocol length so that scanner don't overrun buffer

lib/nghttp2_npn.c

@@ -33,12 +33,14 @@ int nghttp2_select_next_protocol(unsigned char **out, unsigned char *outlen,
   unsigned int i = 0;
   for(; i < inlen; i += in[i]+1) {
     if(in[i] == NGHTTP2_PROTO_VERSION_ID_LEN &&
+       i + 1 + in[i] <= inlen &&
        memcmp(&in[i+1], NGHTTP2_PROTO_VERSION_ID, in[i]) == 0) {
       *out = (unsigned char*)&in[i+1];
       *outlen = in[i];
       return 1;
     }
-    if(in[i] == 8 && memcmp(&in[i+1], "http/1.1", in[i]) == 0) {
+    if(in[i] == 8 && i + 1 + in[i] <= inlen &&
+       memcmp(&in[i+1], "http/1.1", in[i]) == 0) {
       http_selected = 1;
       *out = (unsigned char*)&in[i+1];
       *outlen = in[i];