h2: guard PADDED frames with zero-length payload

Fix OOB read in h2_recv_data() and h2_recv_headers() when PADDED is set
but frame length is 0: we now require ≥1 payload byte before reading the
Pad Length octet. Sends GOAWAY/PROTOCOL_ERROR instead of touching OOB.

Signed-off-by: Joshua Rogers <MegaManSec@users.noreply.github.com>

Author: MegaManSec

src/h2.c

@@ -1188,6 +1188,11 @@ h2_recv_data (connection * const con, const uint8_t * const s, const uint32_t le
     uint32_t alen = len; /* actual data len, minus padding */
     uint32_t pad = 0;
     if (s[4] & H2_FLAG_PADDED) {
+        /* need at least 1 payload byte for Pad Length */
+        if (len < 1) {
+            h2_send_goaway_e(con, H2_E_PROTOCOL_ERROR);
+            return 0;
+        }
         pad = s[9];
         if (pad >= len) {
             h2_send_goaway_e(con, H2_E_PROTOCOL_ERROR);
@@ -1867,8 +1872,13 @@ h2_recv_headers (connection * const con, uint8_t * const s, uint32_t flen)
     const unsigned char *psrc = s + 9;
     uint32_t alen = flen;
     if (s[4] & H2_FLAG_PADDED) {
-        ++psrc;
+        /* need at least 1 payload byte for Pad Length */
+        if (alen < 1) {
+            h2_send_goaway_e(con, H2_E_PROTOCOL_ERROR);
+            return 0;
+        }
         const uint32_t pad = s[9];
+        ++psrc;
         if (alen < 1 + pad) {
             /* Padding that exceeds the size remaining for the header block
              * fragment MUST be treated as a PROTOCOL_ERROR. */