From: Daniel Stenberg <daniel@haxx.se>
Date: Tue, 17 Nov 2015 08:47:58 +0000 (+0100)
Subject: http2: http_done: don't free already-freed push headers
X-Git-Tag: curl-7_46_0~43
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b4c39010b528a34bcaa94a4bea8b78e97795563d;p=thirdparty%2Fcurl.git

http2: http_done: don't free already-freed push headers

The push headers are freed after the push callback has been invoked,
meaning this code should only free the headers if the callback was never
invoked and thus the headers weren't freed at that time.

Reported-by: Davey Shafik
---

diff --git a/lib/http.c b/lib/http.c
index 12a70d6deb..eaa5f949ce 100644
--- a/lib/http.c
+++ b/lib/http.c
@@ -1480,11 +1480,14 @@ CURLcode Curl_http_done(struct connectdata *conn,
     DEBUGF(infof(data, "free header_recvbuf!!\n"));
     Curl_add_buffer_free(http->header_recvbuf);
     http->header_recvbuf = NULL; /* clear the pointer */
-    for(; http->push_headers_used > 0; --http->push_headers_used) {
-      free(http->push_headers[http->push_headers_used - 1]);
+    if(http->push_headers) {
+      /* if they weren't used and then freed before */
+      for(; http->push_headers_used > 0; --http->push_headers_used) {
+        free(http->push_headers[http->push_headers_used - 1]);
+      }
+      free(http->push_headers);
+      http->push_headers = NULL;
     }
-    free(http->push_headers);
-    http->push_headers = NULL;
   }
   if(http->stream_id) {
     nghttp2_session_set_stream_user_data(httpc->h2, http->stream_id, 0);