hpack: raise error if buffer is incomplete

1 files changed, 17 insertions, 7 deletions

diff --git a/lib/plum/hpack/decoder.rb b/lib/plum/hpack/decoder.rb
index adc34e5..71c8be5 100644
--- a/lib/plum/hpack/decoder.rb
+++ b/lib/plum/hpack/decoder.rb
@@ -32,24 +32,34 @@ module Plum
       end
 
       def read_integer!(str, prefix_length)
+        first_byte = str.byteshift(1).uint8
+        raise HPACKError.new("integer: end of buffer") unless first_byte
+
         mask = (1 << prefix_length) - 1
-        ret = str.byteshift(1).uint8 & mask
+        ret = first_byte & mask
+        return ret if ret < mask
+
+        octets = 0
+        while next_value = str.byteshift(1).uint8
+          ret += (next_value & 0b01111111) << (7 * octets)
+          octets += 1
 
-        if ret == mask
-          loop.with_index do |_, i|
-            next_value = str.byteshift(1).uint8
-            ret += (next_value & ~(0b10000000)) << (7 * i)
-            break if next_value & 0b10000000 == 0
+          if next_value < 128
+            return ret
+          elsif octets == 4 # RFC 7541 5.1 tells us that we MUST have limitation. at least > 2 ** 28
+            raise HPACKError.new("integer: too large integer")
           end
         end
 
-        ret
+        raise HPACKError.new("integer: end of buffer")
       end
 
       def read_string!(str)
         huffman = (str.uint8 >> 7) == 1
         length = read_integer!(str, 7)
         bin = str.byteshift(length)
+
+        raise HTTPError.new("string: end of buffer") if bin.bytesize < length
         bin = Huffman.decode(bin) if huffman
         bin
       end