309760 2026-03-11 23:45:31 -0700 ZStream::~ZStream() should call inflateEnd() for decompression mode 2026-03-19 18:41:54 -0700 1 1 1 Unclassified WebKit WebCore Misc. WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED https://bugs.webkit.org/show_bug.cgi?id=280445 P2 Normal --- 1 fujii fujii brandonstewart oldest_to_newest 2189428 0 fujii 2026-03-11 23:45:31 -0700 Claude Code reported: **Severity:** Low — technically undefined behavior but zlib handles it gracefully **Type:** Logic bug (not a crash) **Reproducible:** Always present in code, but does not trigger ASAN ### Location **File:** `Source/WebCore/Modules/compression/ZStream.cpp`, line 83 ```cpp ZStream::~ZStream() { if (m_isInitialized) deflateEnd(&m_stream); // BUG: always calls deflateEnd, even for inflate streams } ``` ### Root cause The `ZStream` class tracks `m_isInitialized` (bool) but does not track the `Operation` type (Compression vs Decompression). The destructor unconditionally calls `deflateEnd()`. For decompression streams initialized via `inflateInit2()`, the correct call is `inflateEnd()`. Per the zlib API, calling `deflateEnd()` on an inflate stream is undefined behavior. In practice, zlib's internal state checking returns `Z_STREAM_ERROR` without corrupting memory. ### Suggested fix Add an `Operation` member to `ZStream` and call the correct cleanup: ```cpp // In ZStream.h: Operation m_operation; // In ZStream.cpp destructor: ZStream::~ZStream() { if (m_isInitialized) { if (m_operation == Operation::Compression) deflateEnd(&m_stream); else inflateEnd(&m_stream); } } ``` 2190257 1 fujii 2026-03-13 22:21:46 -0700 Pull request: https://github.com/WebKit/WebKit/pull/60621 2191168 2 fujii 2026-03-17 16:22:17 -0700 Dupe of bug#302216. Closed. 2191898 3 fujii 2026-03-19 18:41:54 -0700 Fixed by 309446@main.