From b58d2e84ab7412f54f30a88b698a74a3db344cb4 Mon Sep 17 00:00:00 2001 From: Soheil Hassas Yeganeh Date: Tue, 16 Jul 2019 10:45:08 -0400 Subject: [PATCH] Make sure there is at least a header in the frame storge of H2. grpc_chttp2_maybe_complete_recv_trailing_metadata() moves at least GRPC_HEADER_SIZE_IN_BYTES from the frame storage, whenever the frame storage is non-empty. Instead ensure that we have at least GRPC_HEADER_SIZE_IN_BYTES in the frame storage. This results in bugs detected by clusterfuzz in chrome: https://bugs.chromium.org/p/chromium/issues/detail?id=984534 https://bugs.chromium.org/p/chromium/issues/detail?id=984478#c2 --- .../ext/transport/chttp2/transport/chttp2_transport.cc | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/core/ext/transport/chttp2/transport/chttp2_transport.cc b/src/core/ext/transport/chttp2/transport/chttp2_transport.cc index 3c9a8a2209f..43f2db1309f 100644 --- a/src/core/ext/transport/chttp2/transport/chttp2_transport.cc +++ b/src/core/ext/transport/chttp2/transport/chttp2_transport.cc @@ -2016,9 +2016,10 @@ void grpc_chttp2_maybe_complete_recv_trailing_metadata(grpc_chttp2_transport* t, * maybe decompress the next 5 bytes in the stream. */ if (s->stream_decompression_method == GRPC_STREAM_COMPRESSION_IDENTITY_DECOMPRESS) { - grpc_slice_buffer_move_first(&s->frame_storage, - GRPC_HEADER_SIZE_IN_BYTES, - &s->unprocessed_incoming_frames_buffer); + grpc_slice_buffer_move_first( + &s->frame_storage, + GPR_MIN(s->frame_storage.length, GRPC_HEADER_SIZE_IN_BYTES), + &s->unprocessed_incoming_frames_buffer); if (s->unprocessed_incoming_frames_buffer.length > 0) { s->unprocessed_incoming_frames_decompressed = true; pending_data = true;