From 745d7b7e9f29f60f1a4870e300fea0f621e0611c Mon Sep 17 00:00:00 2001
From: Marten Seemann <martenseemann@gmail.com>
Date: Mon, 27 Feb 2017 15:45:32 +0700
Subject: [PATCH] reject stream frames that overflow the offset

fixes #452
---
 frames/stream_frame.go      |  6 +++++-
 frames/stream_frame_test.go | 13 +++++++++++++
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/frames/stream_frame.go b/frames/stream_frame.go
index fa833f80..680b1801 100644
--- a/frames/stream_frame.go
+++ b/frames/stream_frame.go
@@ -79,7 +79,11 @@ func ParseStreamFrame(r *bytes.Reader) (*StreamFrame, error) {
 		}
 	}
 
-	if !frame.FinBit && len(frame.Data) == 0 {
+	if frame.Offset+frame.DataLen() < frame.Offset {
+		return nil, qerr.Error(qerr.InvalidStreamData, "data overflows maximum offset")
+	}
+
+	if !frame.FinBit && frame.DataLen() == 0 {
 		return nil, qerr.EmptyStreamFrameNoFin
 	}
 
diff --git a/frames/stream_frame_test.go b/frames/stream_frame_test.go
index f70510b1..6177dded 100644
--- a/frames/stream_frame_test.go
+++ b/frames/stream_frame_test.go
@@ -65,6 +65,19 @@ var _ = Describe("StreamFrame", func() {
 			Expect(err).To(MatchError(qerr.Error(qerr.InvalidStreamData, "data len too large")))
 		})
 
+		It("rejects frames that overflow the offset", func() {
+			// Offset + len(Data) overflows MaxByteCount
+			f := &StreamFrame{
+				StreamID: 1,
+				Offset:   protocol.MaxByteCount,
+				Data:     []byte{'f'},
+			}
+			b := &bytes.Buffer{}
+			f.Write(b, protocol.VersionWhatever)
+			_, err := ParseStreamFrame(bytes.NewReader(b.Bytes()))
+			Expect(err).To(MatchError(qerr.Error(qerr.InvalidStreamData, "data overflows maximum offset")))
+		})
+
 		It("errors on EOFs", func() {
 			data := []byte{0xa4, 0x1, 0x2a, 0x00, 0x06, 0x00, 'f', 'o', 'o', 'b', 'a', 'r'}
 			_, err := ParseStreamFrame(bytes.NewReader(data))