BUG/MINOR: qpack: fix huff_dec() error handling in qpack_decode_fs()

The <nlen> variable is a signed integer, but the check for a Huffman
decoding error was written as 'nlen == (uint32_t)-1'.

With standard compiler type promotion rules, this comparison happens to
work as intended when huff_dec() returns -1. However, relying on implicit
unsigned promotions for signed error checking is fragile. If a compiler
applies different promotion semantics, or if huff_dec() returns any other
negative error code, the failure would go undetected, leading to buffer
corruption or a crash via b_add() and ist2().

Fix this by using 'nlen < 0', removing any ambiguity regardless of the
compiler used.

Must be backported to all versions.

src/qpack-dec.c

@@ -456,7 +456,7 @@ int qpack_decode_fs(const unsigned char *raw, uint64_t len, struct buffer *tmp,
 				}
 
 				nlen = huff_dec(raw, length, trash, tmp->size - tmp->data);
-				if (nlen == (uint32_t)-1) {
+				if (nlen < 0) {
 					qpack_debug_printf(stderr, " can't decode huffman.\n");
 					ret = -QPACK_RET_HUFFMAN;
 					goto out;
@@ -506,7 +506,7 @@ int qpack_decode_fs(const unsigned char *raw, uint64_t len, struct buffer *tmp,
 					goto out;
 				}
 				nlen = huff_dec(raw, name_len, trash, tmp->size - tmp->data);
-				if (nlen == (uint32_t)-1) {
+				if (nlen < 0) {
 					qpack_debug_printf(stderr, " can't decode huffman.\n");
 					ret = -QPACK_RET_HUFFMAN;
 					goto out;
@@ -545,7 +545,7 @@ int qpack_decode_fs(const unsigned char *raw, uint64_t len, struct buffer *tmp,
 					goto out;
 				}
 				nlen = huff_dec(raw, value_len, trash, tmp->size - tmp->data);
-				if (nlen == (uint32_t)-1) {
+				if (nlen < 0) {
 					qpack_debug_printf(stderr, " can't decode huffman.\n");
 					ret = -QPACK_RET_HUFFMAN;
 					goto out;