Unverified Commit 6d3c9c8a authored by Daniel Stenberg's avatar Daniel Stenberg
Browse files

http2: handle on_begin_headers() called more than once 

This triggered an assert if called more than once in debug mode (and a
memory leak if not debug build). With the right sequence of HTTP/2
headers incoming it can happen.

Detected by OSS-Fuzz

Closes #2507
Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=7764
parent 89963002

lib/http2.c

+4 −8
Original line number Diff line number Diff line
@@ -870,16 +870,12 @@ static int on_begin_headers(nghttp2_session *session, 
    return 0;

  }



  /* This is trailer HEADERS started.  Allocate buffer for them. */

  H2BUGF(infof(data_s, "trailer field started\n"));



  DEBUGASSERT(stream->trailer_recvbuf == NULL);



  if(!stream->trailer_recvbuf) {

    stream->trailer_recvbuf = Curl_add_buffer_init();

    if(!stream->trailer_recvbuf) {

      return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;

    }



  }

  return 0;

}