Sync shared HPack/QPack changes from aspnetcore

[Copilot]

Closes dotnet/aspnetcore#18943

Huffman-encoded strings can expand significantly on decode (e.g. 10 encoded bytes → 16 decoded bytes). Both HPackDecoder and QPackDecoder validated the encoded string length against _maxHeadersLength before decoding, but never checked the decoded length — allowing Huffman-inflated headers to silently exceed the configured limit.

Description

• HPackDecoder: After Huffman.Decode, check decodedLength > _maxHeadersLength and throw HPackDecodingException. Add Debug.Assert on the non-Huffman path confirming the pre-decode check is sufficient there.
• QPackDecoder: Same fix — post-decode length check throwing QPackDecodingException.
• Tests (HPackDecoderTest, QPackDecoderTest): Two new [Fact] tests each — HuffmanDecodedHeaderName_ExceedsLimitAfterDecoding_Throws and HuffmanDecodedHeaderValue_ExceedsLimitAfterDecoding_Throws — using a maxHeadersLength: 10 decoder with a 10-byte Huffman payload that decodes to 16 bytes ('0' has a 5-bit code: 00000).

[MihaZupan]

Backport of dotnet/aspnetcore#65771 to runtime

[Copilot]

Pull request overview

This PR closes a header-size enforcement gap in the shared HPack/QPack decoders by ensuring Huffman-decoded header names/values can’t exceed the configured maximum header length due to post-decode expansion.

Changes:

• Add post-Huffman-decode length validation in HPackDecoder and QPackDecoder, throwing the appropriate decoding exception when the decoded length exceeds _maxHeadersLength.
• Add debug assertions on the non-Huffman decode path documenting that the existing pre-decode length check is sufficient.
• Add new unit tests for HPack and QPack to cover Huffman inflation scenarios where encoded length is within the limit but decoded length exceeds it.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.

File	Description
src/libraries/Common/src/System/Net/Http/aspnetcore/Http2/Hpack/HPackDecoder.cs	Enforces _maxHeadersLength after Huffman decode to prevent inflated decoded strings from bypassing the limit.
src/libraries/Common/src/System/Net/Http/aspnetcore/Http3/QPack/QPackDecoder.cs	Mirrors the HPack fix for QPack by validating decoded length after Huffman decode.
src/libraries/Common/tests/Tests/System/Net/aspnetcore/Http2/HPackDecoderTest.cs	Adds regression tests that ensure oversized Huffman-decoded names/values throw and do not emit headers.
src/libraries/Common/tests/Tests/System/Net/aspnetcore/Http3/QPackDecoderTest.cs	Adds regression tests for the same Huffman expansion overflow scenario in QPack.

---

You can also share your feedback on Copilot code review. Take the survey.