From b87066da92277b8d84b2ff1cc8906f3cc17829ba Mon Sep 17 00:00:00 2001
From: Matt Rudary <mattrudary@google.com>
Date: Fri, 11 Nov 2016 11:12:43 -0500
Subject: [PATCH] Prevent undefined behavior in decode_length

---
 AUTHORS          | 1 +
 lib/nghttp2_hd.c | 5 +++++
 2 files changed, 6 insertions(+)

diff --git a/AUTHORS b/AUTHORS
index a55dba53..430a29e4 100644
--- a/AUTHORS
+++ b/AUTHORS
@@ -32,6 +32,7 @@ Etienne Cimon
 Fabian Möller
 Fabian Wiesel
 Gabi Davar
+Google Inc.
 Jacob Champion
 Jan-E
 Janusz Dziemidowicz
diff --git a/lib/nghttp2_hd.c b/lib/nghttp2_hd.c
index 72405fc9..6282b852 100644
--- a/lib/nghttp2_hd.c
+++ b/lib/nghttp2_hd.c
@@ -864,6 +864,11 @@ static ssize_t decode_length(uint32_t *res, size_t *shift_ptr, int *fin,
   for (; in != last; ++in, shift += 7) {
     uint32_t add = *in & 0x7f;
 
+    if (shift >= 32) {
+      DEBUGF("inflate: shift exponent overflow\n");
+      return -1;
+    }
+
     if ((UINT32_MAX >> shift) < add) {
       DEBUGF("inflate: integer overflow on shift\n");
       return -1;