From 780a2cbd70090bca1a1ed456f75b4d2dc5964b3f Mon Sep 17 00:00:00 2001
From: Narayan Kamath <narayan@google.com>
Date: Tue, 12 Mar 2013 16:56:28 +0000
Subject: [PATCH] Guard against invalid name value block headers.

If a badly behaved server sends us a negative number
of name value blocks, we should throw an IOException and
not a RTE (which will be thrown when we try to construct an
ArrayList with a negative size).
---
 .../java/com/squareup/okhttp/internal/spdy/SpdyReader.java    | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/main/java/com/squareup/okhttp/internal/spdy/SpdyReader.java b/src/main/java/com/squareup/okhttp/internal/spdy/SpdyReader.java
index db3b50c42..7a7b1987b 100644
--- a/src/main/java/com/squareup/okhttp/internal/spdy/SpdyReader.java
+++ b/src/main/java/com/squareup/okhttp/internal/spdy/SpdyReader.java
@@ -232,6 +232,10 @@ final class SpdyReader implements Closeable {
     this.compressedLimit += length;
     try {
       int numberOfPairs = nameValueBlockIn.readInt();
+      if (numberOfPairs < 0) {
+        Logger.getLogger(getClass().getName()).warning("numberOfPairs < 0: " + numberOfPairs);
+        throw ioException("numberOfPairs < 0");
+      }
       List<String> entries = new ArrayList<String>(numberOfPairs * 2);
       for (int i = 0; i < numberOfPairs; i++) {
         String name = readString();