From 63e996200268599522db97d9a0ef37f43d5ca506 Mon Sep 17 00:00:00 2001
From: Shane Kearns <ext-shane.2.kearns@nokia.com>
Date: Mon, 21 May 2012 10:54:37 +0100
Subject: Prevent infinite loops by handling all ZLIB errors

In case the HTTP server returns more data after the end of the
compressed data stream, inflate will return Z_STREAM_END, which
is a normal informative error code.
This was handled in 4.8, but lost in 5.0.
Also catch all ZLIB negative error codes rather than only three.

Task-number: QTBUG-25823
Change-Id: Ibdbbd3dd6fa81a0880c477cb080ad35f2d7116f0
Reviewed-by: Martin Petersson <Martin.Petersson@nokia.com>
---
 src/network/access/qhttpnetworkreply.cpp | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

(limited to 'src')

diff --git a/src/network/access/qhttpnetworkreply.cpp b/src/network/access/qhttpnetworkreply.cpp
index bcfe48f29d..b95a227467 100644
--- a/src/network/access/qhttpnetworkreply.cpp
+++ b/src/network/access/qhttpnetworkreply.cpp
@@ -699,14 +699,13 @@ qint64 QHttpNetworkReplyPrivate::uncompressBodyData(QByteDataBuffer *in, QByteDa
             inflateStrm.next_out = reinterpret_cast<Bytef*>(bOut.data());
 
             int ret = inflate(&inflateStrm, Z_NO_FLUSH);
-            switch (ret) {
-            case Z_NEED_DICT:
-            case Z_DATA_ERROR:
-            case Z_MEM_ERROR:
+            //All negative return codes are errors, in the context of HTTP compression, Z_NEED_DICT is also an error.
+            if (ret < 0 || ret == Z_NEED_DICT)
                 return -1;
-            }
             bOut.resize(bOut.capacity() - inflateStrm.avail_out);
             out->append(bOut);
+            if (ret == Z_STREAM_END)
+                return out->byteAmount();
         } while (inflateStrm.avail_in > 0);
     }
 
-- 
cgit v1.2.3