The haproxy hpack implementation in hpack-tbl.c handles 0-length HTTP headers incorrectly. This can lead to a fully controlled relative out-of-bounds write when processing a malicious HTTP2 request (or response).
MD5 | ec4200ed138e11159b83e1a1d18ff6d3
