Integer Overflow or Wraparound in org.eclipse.jetty.http2:http2-hpack

Summary

Eclipse Jetty provides a web server and servlet container.An integer overflow in `MetaDataBuilder.checkSize` allows for HTTP/2 HPACK header values to exceed their size limit. `MetaDataBuilder.java` determines if a header name or value exceeds the size limit, and throws an exception if the limit is exceeded. However, when the length is very large and huffman is true, the multiplication by 4 in line 295 will overflow, and length will become negative. `(_size+length)` will now be negative, and the check on line 296 will not be triggered. Furthermore, `MetaDataBuilder.checkSize` allows for user-entered HPACK header value sizes to be negative, potentially leading to a very large buffer allocation later on when the user-entered size is multiplied by 2. This means that if a user provides a negative length value (or, more precisely, a length value which, when multiplied by the 4/3 fudge factor, is negative), and this length value is a very large positive number when multiplied by 2, then the user can cause a very large buffer to be allocated on the server. Users of HTTP/2 can be impacted by a remote denial of service attack. This issue affects the packages org.eclipse.jetty:jetty-http in versions 9.3.0.M0 through 9.4.52.v20230823, 10.0.0-alpha0 through 10.0.15, and 11.0.0-alpha0 through 11.0.15, 12.0.0.alpha0 through 12.0.0.beta1, org.eclipse.jetty.http3:http3-qpack in versions 10.0.8 through 10.0.15, and 11.0.8 through 11.0.15, org.eclipse.jetty.http2:jetty-http2-hpack, org.eclipse.jetty.http3:jetty-http3-qpack in versions 12.0.0.alpha0 through 12.0.0.beta1, and org.eclipse.jetty.http2:http2-hpack versions 9.3.0.M0 through 9.4.52.v20230823, 10.0.0-alpha0 through 10.0.15, and 11.0.0-alpha0 through 11.0.15.