From 3b83a3ba3e735fd92a7a61936feb78b54d429d2a Mon Sep 17 00:00:00 2001
From: Steve Lhomme <slhomme@levelupstudio.com>
Date: Wed, 28 Aug 2013 17:03:58 +0200
Subject: [PATCH 1/2] When invalid sizes are used to initialize the ArrayList,
 don't crash with an uncaught exception

---
 .../src/main/java/com/squareup/okhttp/internal/spdy/Spdy3.java  | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/okhttp-protocols/src/main/java/com/squareup/okhttp/internal/spdy/Spdy3.java b/okhttp-protocols/src/main/java/com/squareup/okhttp/internal/spdy/Spdy3.java
index d233c2bea..36367abe1 100644
--- a/okhttp-protocols/src/main/java/com/squareup/okhttp/internal/spdy/Spdy3.java
+++ b/okhttp-protocols/src/main/java/com/squareup/okhttp/internal/spdy/Spdy3.java
@@ -304,6 +304,8 @@ final class Spdy3 implements Variant {
         return entries;
       } catch (DataFormatException e) {
         throw new IOException(e.getMessage());
+      } catch (OutOfMemoryError e) {
+        throw new IOException(e.getMessage());
       }
     }
 

From 638ae21c7a6edc0e51bc624a80dfbc6fb8aa4236 Mon Sep 17 00:00:00 2001
From: Steve Lhomme <slhomme@levelupstudio.com>
Date: Thu, 29 Aug 2013 17:17:24 +0200
Subject: [PATCH 2/2] safer check for invalid values, without catching OOM

---
 .../java/com/squareup/okhttp/internal/spdy/Spdy3.java     | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/okhttp-protocols/src/main/java/com/squareup/okhttp/internal/spdy/Spdy3.java b/okhttp-protocols/src/main/java/com/squareup/okhttp/internal/spdy/Spdy3.java
index 36367abe1..122d371c2 100644
--- a/okhttp-protocols/src/main/java/com/squareup/okhttp/internal/spdy/Spdy3.java
+++ b/okhttp-protocols/src/main/java/com/squareup/okhttp/internal/spdy/Spdy3.java
@@ -284,10 +284,14 @@ final class Spdy3 implements Variant {
       this.compressedLimit += length;
       try {
         int numberOfPairs = nameValueBlockIn.readInt();
-        if ((numberOfPairs * 2) < 0) {
+        if (numberOfPairs < 0) {
           Logger.getLogger(getClass().getName()).warning("numberOfPairs < 0: " + numberOfPairs);
           throw ioException("numberOfPairs < 0");
         }
+        if (numberOfPairs > 1024) {
+          Logger.getLogger(getClass().getName()).warning("numberOfPairs > 1024: " + numberOfPairs);
+          throw ioException("numberOfPairs > 1024");
+        }
         List<String> entries = new ArrayList<String>(numberOfPairs * 2);
         for (int i = 0; i < numberOfPairs; i++) {
           String name = readString();
@@ -304,8 +308,6 @@ final class Spdy3 implements Variant {
         return entries;
       } catch (DataFormatException e) {
         throw new IOException(e.getMessage());
-      } catch (OutOfMemoryError e) {
-        throw new IOException(e.getMessage());
       }
     }