Bug 309760
| Summary: | ZStream::~ZStream() should call inflateEnd() for decompression mode | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Fujii Hironori <fujii> |
| Component: | WebCore Misc. | Assignee: | Fujii Hironori <fujii> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | brandonstewart |
| Priority: | P2 | ||
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| See Also: | https://bugs.webkit.org/show_bug.cgi?id=280445 | ||
Fujii Hironori
Claude Code reported:
**Severity:** Low — technically undefined behavior but zlib handles it gracefully
**Type:** Logic bug (not a crash)
**Reproducible:** Always present in code, but does not trigger ASAN
### Location
**File:** `Source/WebCore/Modules/compression/ZStream.cpp`, line 83
```cpp
ZStream::~ZStream()
{
if (m_isInitialized)
deflateEnd(&m_stream); // BUG: always calls deflateEnd, even for inflate streams
}
```
### Root cause
The `ZStream` class tracks `m_isInitialized` (bool) but does not track the `Operation` type (Compression vs Decompression). The destructor unconditionally calls `deflateEnd()`. For decompression streams initialized via `inflateInit2()`, the correct call is `inflateEnd()`.
Per the zlib API, calling `deflateEnd()` on an inflate stream is undefined behavior. In practice, zlib's internal state checking returns `Z_STREAM_ERROR` without corrupting memory.
### Suggested fix
Add an `Operation` member to `ZStream` and call the correct cleanup:
```cpp
// In ZStream.h:
Operation m_operation;
// In ZStream.cpp destructor:
ZStream::~ZStream()
{
if (m_isInitialized) {
if (m_operation == Operation::Compression)
deflateEnd(&m_stream);
else
inflateEnd(&m_stream);
}
}
```
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Fujii Hironori
Pull request: https://github.com/WebKit/WebKit/pull/60621
Fujii Hironori
Dupe of bug#302216. Closed.
Fujii Hironori
Fixed by 309446@main.