java: websocket: Additional payload length validation

<https://bz.apache.org/bugzilla/show_bug.cgi?id=64563>

Patch taken from <https://github.com/apache/tomcat/commit/1c1c77b0efb667cea80b532440b44cea1dc427c3.patch>

[ Subject / message tweak - Andrew ]
Signed-off-by: Andrew Clayton <[email protected]>

Author: markt-asf

src/java/nginx/unit/websocket/WsFrameBase.java

@@ -260,6 +260,13 @@ private boolean processRemainingHeader() throws IOException {
         } else if (payloadLength == 127) {
             payloadLength = byteArrayToLong(inputBuffer.array(),
                     inputBuffer.arrayOffset() + inputBuffer.position(), 8);
+            // The most significant bit of those 8 bytes is required to be zero
+            // (see RFC 6455, section 5.2). If the most significant bit is set,
+            // the resulting payload length will be negative so test for that.
+            if (payloadLength < 0) {
+                throw new WsIOException(
+                        new CloseReason(CloseCodes.PROTOCOL_ERROR, sm.getString("wsFrame.payloadMsbInvalid")));
+            }
             inputBuffer.position(inputBuffer.position() + 8);
         }
         if (Util.isControl(opCode)) {