If ALTSVC frame is received by libnghttp2 and it is larger than it can accept, the pointer field which points to ALTSVC frame payload is left NULL. Later libnghttp2 attempts to access another field through the pointer, and gets segmentation fault. The largest frame size libnghttp2 accept is by default 16384 bytes.
Receiving ALTSVC frame is disabled by default. Application has to enable it explicitly by calling `nghttp2_option_set_builtin_recv_extension_type(opt, NGHTTP2_ALTSVC)`.
Transmission of ALTSVC is always enabled, and it does not cause this vulnerability. ALTSVC frame is expected to be sent by server, and received by client as defined in RFC 7838.
Affected versions: nghttp2 >= 1.10.0 and nghttp2 <= v1.31.0