From 371617983a7640a42d74db9c17f7ac3c9c22d29d Mon Sep 17 00:00:00 2001 From: Sami Rosendahl Date: Fri, 11 Nov 2011 13:29:38 +0100 Subject: Fix crash in QHttpNetworkReplyPrivate::gunzipBodyPartiallyEnd If a HTTP server responds with gzip-encoded empty content without defining Content-Length in the response header QHttpNetworkReplyPrivate::gunzipBodyPartiallyEnd will crash because it calls zlib inflateEnd for an uninitialized stream. - Fixed the crash by adding a check if the stream is initialized to gunzipBodyPartiallyEnd. - Added a regression test tst_QNetworkReply::nb279420gzipNoContentLengthEmptyContentDisconnect PMO 279420 Task-number: QTBUG-22660 Signed-off-by: Sami Rosendahl Merge-request: 1465 Reviewed-by: Peter Hartmann --- src/network/access/qhttpnetworkreply.cpp | 6 ++++-- tests/auto/qnetworkreply/tst_qnetworkreply.cpp | 23 +++++++++++++++++++++++ 2 files changed, 27 insertions(+), 2 deletions(-) diff --git a/src/network/access/qhttpnetworkreply.cpp b/src/network/access/qhttpnetworkreply.cpp index 6173b39..3dc8b2f 100644 --- a/src/network/access/qhttpnetworkreply.cpp +++ b/src/network/access/qhttpnetworkreply.cpp @@ -472,8 +472,10 @@ int QHttpNetworkReplyPrivate::gunzipBodyPartially(QByteArray &compressed, QByteA void QHttpNetworkReplyPrivate::gunzipBodyPartiallyEnd() { - inflateEnd(&inflateStrm); - initInflate = false; + if (initInflate) { + inflateEnd(&inflateStrm); + initInflate = false; + } } #endif diff --git a/tests/auto/qnetworkreply/tst_qnetworkreply.cpp b/tests/auto/qnetworkreply/tst_qnetworkreply.cpp index 9df820a..14ad6a9 100644 --- a/tests/auto/qnetworkreply/tst_qnetworkreply.cpp +++ b/tests/auto/qnetworkreply/tst_qnetworkreply.cpp @@ -368,6 +368,7 @@ private Q_SLOTS: void qtbug15311doubleContentLength(); void qtbug18232gzipContentLengthZero(); + void nb279420gzipNoContentLengthEmptyContentDisconnect(); void synchronousRequest_data(); void synchronousRequest(); @@ -6139,6 +6140,28 @@ void tst_QNetworkReply::qtbug18232gzipContentLengthZero() QCOMPARE(reply->readAll(), QByteArray()); } +// Reproduced a crash in QHttpNetworkReplyPrivate::gunzipBodyPartiallyEnd +// where zlib inflateEnd was called for uninitialized zlib stream +void tst_QNetworkReply::nb279420gzipNoContentLengthEmptyContentDisconnect() +{ + // Response with no Content-Length in header and empty content + QByteArray response("HTTP/1.0 200 OK\r\nContent-Encoding: gzip\r\n\r\n"); + MiniHttpServer server(response); + server.doClose = true; + + QNetworkRequest request(QUrl("http://localhost:" + QString::number(server.serverPort()))); + QNetworkReplyPtr reply = manager.get(request); + + connect(reply, SIGNAL(finished()), &QTestEventLoop::instance(), SLOT(exitLoop())); + QTestEventLoop::instance().enterLoop(10); + QVERIFY(!QTestEventLoop::instance().timeout()); + QVERIFY(reply->isFinished()); + QCOMPARE(reply->error(), QNetworkReply::NoError); + QCOMPARE(reply->size(), qint64(0)); + QVERIFY(!reply->header(QNetworkRequest::ContentLengthHeader).isValid()); + QCOMPARE(reply->readAll(), QByteArray()); +} + void tst_QNetworkReply::synchronousRequest_data() { QTest::addColumn("url"); -- cgit v0.12