From 855f39743ad8cd4948b0e9d8ba008bfe201f2e5c Mon Sep 17 00:00:00 2001
From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
Date: Thu, 1 May 2014 09:06:54 +0900
Subject: [PATCH] Fix crash when indexed repr index=0

---
 lib/nghttp2_hd.c        |  7 +++++++
 tests/main.c            |  2 ++
 tests/nghttp2_hd_test.c | 39 +++++++++++++++++++++++++++++++++++++++
 tests/nghttp2_hd_test.h |  1 +
 4 files changed, 49 insertions(+)

diff --git a/lib/nghttp2_hd.c b/lib/nghttp2_hd.c
index 8729cfb8..da03163f 100644
--- a/lib/nghttp2_hd.c
+++ b/lib/nghttp2_hd.c
@@ -1671,7 +1671,14 @@ ssize_t nghttp2_hd_inflate_hd(nghttp2_hd_inflater *inflater,
       if(rv < 0) {
         goto fail;
       }
+
       in += rv;
+
+      if(inflater->left == 0) {
+        rv = NGHTTP2_ERR_HEADER_COMP;
+        goto fail;
+      }
+
       if(!rfin) {
         goto almost_ok;
       }
diff --git a/tests/main.c b/tests/main.c
index 723dd333..8dea5a8d 100644
--- a/tests/main.c
+++ b/tests/main.c
@@ -258,6 +258,8 @@ int main(int argc, char* argv[])
                    test_nghttp2_hd_deflate_common_header_eviction) ||
       !CU_add_test(pSuite, "hd_deflate_clear_refset",
                    test_nghttp2_hd_deflate_clear_refset) ||
+      !CU_add_test(pSuite, "hd_inflate_indexed",
+                   test_nghttp2_hd_inflate_indexed) ||
       !CU_add_test(pSuite, "hd_inflate_indname_noinc",
                    test_nghttp2_hd_inflate_indname_noinc) ||
       !CU_add_test(pSuite, "hd_inflate_indname_inc",
diff --git a/tests/nghttp2_hd_test.c b/tests/nghttp2_hd_test.c
index ca5e2e29..a63c481e 100644
--- a/tests/nghttp2_hd_test.c
+++ b/tests/nghttp2_hd_test.c
@@ -309,6 +309,45 @@ void test_nghttp2_hd_deflate_clear_refset(void)
   nghttp2_hd_deflate_free(&deflater);
 }
 
+void test_nghttp2_hd_inflate_indexed(void)
+{
+  nghttp2_hd_inflater inflater;
+  nghttp2_bufs bufs;
+  ssize_t blocklen;
+  nghttp2_nv nv = MAKE_NV(":path", "/");
+  nva_out out;
+
+  frame_pack_bufs_init(&bufs);
+
+  nva_out_init(&out);
+  nghttp2_hd_inflate_init(&inflater);
+
+  nghttp2_bufs_addb(&bufs, (1 << 7) | 4);
+
+  blocklen = nghttp2_bufs_len(&bufs);
+
+  CU_ASSERT(1 == blocklen);
+  CU_ASSERT(blocklen == inflate_hd(&inflater, &out, &bufs, 0));
+
+  CU_ASSERT(1 == out.nvlen);
+
+  assert_nv_equal(&nv, out.nva, 1);
+
+  nva_out_reset(&out);
+  nghttp2_bufs_reset(&bufs);
+
+  /* index = 0 is error */
+  nghttp2_bufs_addb(&bufs, 1 << 7);
+
+  blocklen = nghttp2_bufs_len(&bufs);
+
+  CU_ASSERT(1 == blocklen);
+  CU_ASSERT(NGHTTP2_ERR_HEADER_COMP == inflate_hd(&inflater, &out, &bufs, 0));
+
+  nghttp2_bufs_free(&bufs);
+  nghttp2_hd_inflate_free(&inflater);
+}
+
 void test_nghttp2_hd_inflate_indname_noinc(void)
 {
   nghttp2_hd_inflater inflater;
diff --git a/tests/nghttp2_hd_test.h b/tests/nghttp2_hd_test.h
index 14e3d807..5e089d57 100644
--- a/tests/nghttp2_hd_test.h
+++ b/tests/nghttp2_hd_test.h
@@ -29,6 +29,7 @@ void test_nghttp2_hd_deflate(void);
 void test_nghttp2_hd_deflate_same_indexed_repr(void);
 void test_nghttp2_hd_deflate_common_header_eviction(void);
 void test_nghttp2_hd_deflate_clear_refset(void);
+void test_nghttp2_hd_inflate_indexed(void);
 void test_nghttp2_hd_inflate_indname_noinc(void);
 void test_nghttp2_hd_inflate_indname_inc(void);
 void test_nghttp2_hd_inflate_indname_inc_eviction(void);