From 8874f06b9ef9dcece53210b16f5677a7c81c1e78 Mon Sep 17 00:00:00 2001 From: Frederic Lecaille Date: Wed, 27 May 2026 17:16:16 +0200 Subject: [PATCH] BUG/MINOR: qpack: fix huff_dec() error handling in qpack_decode_fs() The variable is a signed integer, but the check for a Huffman decoding error was written as 'nlen == (uint32_t)-1'. With standard compiler type promotion rules, this comparison happens to work as intended when huff_dec() returns -1. However, relying on implicit unsigned promotions for signed error checking is fragile. If a compiler applies different promotion semantics, or if huff_dec() returns any other negative error code, the failure would go undetected, leading to buffer corruption or a crash via b_add() and ist2(). Fix this by using 'nlen < 0', removing any ambiguity regardless of the compiler used. Must be backported to all versions. --- src/qpack-dec.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/qpack-dec.c b/src/qpack-dec.c index 703275aa5..f70206f4a 100644 --- a/src/qpack-dec.c +++ b/src/qpack-dec.c @@ -456,7 +456,7 @@ int qpack_decode_fs(const unsigned char *raw, uint64_t len, struct buffer *tmp, } nlen = huff_dec(raw, length, trash, tmp->size - tmp->data); - if (nlen == (uint32_t)-1) { + if (nlen < 0) { qpack_debug_printf(stderr, " can't decode huffman.\n"); ret = -QPACK_RET_HUFFMAN; goto out; @@ -506,7 +506,7 @@ int qpack_decode_fs(const unsigned char *raw, uint64_t len, struct buffer *tmp, goto out; } nlen = huff_dec(raw, name_len, trash, tmp->size - tmp->data); - if (nlen == (uint32_t)-1) { + if (nlen < 0) { qpack_debug_printf(stderr, " can't decode huffman.\n"); ret = -QPACK_RET_HUFFMAN; goto out; @@ -545,7 +545,7 @@ int qpack_decode_fs(const unsigned char *raw, uint64_t len, struct buffer *tmp, goto out; } nlen = huff_dec(raw, value_len, trash, tmp->size - tmp->data); - if (nlen == (uint32_t)-1) { + if (nlen < 0) { qpack_debug_printf(stderr, " can't decode huffman.\n"); ret = -QPACK_RET_HUFFMAN; goto out;