Fix crash in QHttpNetworkReplyPrivate::gunzipBodyPartiallyEnd

If a HTTP server responds with gzip-encoded empty content without defining
Content-Length in the response header QHttpNetworkReplyPrivate::gunzipBodyPartiallyEnd
will crash because it calls zlib inflateEnd for an uninitialized stream.

- Fixed the crash by adding a check if the stream is initialized to gunzipBodyPartiallyEnd.
- Added a regression test tst_QNetworkReply::nb279420gzipNoContentLengthEmptyContentDisconnect

PMO 279420
Task-number: QTBUG-22660

Signed-off-by: Sami Rosendahl <sami.rosendahl@reaktor.fi>

Merge-request: 1465
Reviewed-by: Peter Hartmann <peter.hartmann@nokia.com>

2 files changed, 27 insertions, 2 deletions

diff --git a/src/network/access/qhttpnetworkreply.cpp b/src/network/access/qhttpnetworkreply.cpp
index 6173b39..3dc8b2f 100644
--- a/src/network/access/qhttpnetworkreply.cpp
+++ b/src/network/access/qhttpnetworkreply.cpp
@@ -472,8 +472,10 @@ int QHttpNetworkReplyPrivate::gunzipBodyPartially(QByteArray &compressed, QByteA
 
 void QHttpNetworkReplyPrivate::gunzipBodyPartiallyEnd()
 {
-    inflateEnd(&inflateStrm);
-    initInflate = false;
+    if (initInflate) {
+        inflateEnd(&inflateStrm);
+        initInflate = false;
+    }
 }
 
 #endif
diff --git a/tests/auto/qnetworkreply/tst_qnetworkreply.cpp b/tests/auto/qnetworkreply/tst_qnetworkreply.cpp
index 9df820a..14ad6a9 100644
--- a/tests/auto/qnetworkreply/tst_qnetworkreply.cpp
+++ b/tests/auto/qnetworkreply/tst_qnetworkreply.cpp
@@ -368,6 +368,7 @@ private Q_SLOTS:
     void qtbug15311doubleContentLength();
 
     void qtbug18232gzipContentLengthZero();
+    void nb279420gzipNoContentLengthEmptyContentDisconnect();
 
     void synchronousRequest_data();
     void synchronousRequest();
@@ -6139,6 +6140,28 @@ void tst_QNetworkReply::qtbug18232gzipContentLengthZero()
     QCOMPARE(reply->readAll(), QByteArray());
 }
 
+// Reproduced a crash in QHttpNetworkReplyPrivate::gunzipBodyPartiallyEnd
+// where zlib inflateEnd was called for uninitialized zlib stream
+void tst_QNetworkReply::nb279420gzipNoContentLengthEmptyContentDisconnect()
+{
+    // Response with no Content-Length in header and empty content
+    QByteArray response("HTTP/1.0 200 OK\r\nContent-Encoding: gzip\r\n\r\n");
+    MiniHttpServer server(response);
+    server.doClose = true;
+
+    QNetworkRequest request(QUrl("http://localhost:" + QString::number(server.serverPort())));
+    QNetworkReplyPtr reply = manager.get(request);
+
+    connect(reply, SIGNAL(finished()), &QTestEventLoop::instance(), SLOT(exitLoop()));
+    QTestEventLoop::instance().enterLoop(10);
+    QVERIFY(!QTestEventLoop::instance().timeout());
+    QVERIFY(reply->isFinished());
+    QCOMPARE(reply->error(), QNetworkReply::NoError);
+    QCOMPARE(reply->size(), qint64(0));
+    QVERIFY(!reply->header(QNetworkRequest::ContentLengthHeader).isValid());
+    QCOMPARE(reply->readAll(), QByteArray());
+}
+
 void tst_QNetworkReply::synchronousRequest_data()
 {
     QTest::addColumn<QUrl>("url");