From 304bb2f7c1b463373aa31c1530144c67f6afddb2 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Tue, 25 Sep 2018 11:48:43 +0200
Subject: [PATCH] Curl_http2_done: fix memleak in error path

Free 'header_recvbuf' unconditionally even if 'h2' isn't (yet) set, for
early failures.

Detected by OSS-Fuzz

Bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10669
Closes #3046
---
 lib/http2.c | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/lib/http2.c b/lib/http2.c
index b1a8213bd..29edfba7a 100644
--- a/lib/http2.c
+++ b/lib/http2.c
@@ -1142,12 +1142,8 @@ void Curl_http2_done(struct connectdata *conn, bool premature)
   struct HTTP *http = data->req.protop;
   struct http_conn *httpc = &conn->proto.httpc;
 
-  if(!httpc->h2) /* not HTTP/2 ? */
-    return;
-
-  if(data->state.drain)
-    drained_transfer(data, httpc);
-
+  /* there might be allocated resources done before this got the 'h2' pointer
+     setup */
   if(http->header_recvbuf) {
     Curl_add_buffer_free(&http->header_recvbuf);
     Curl_add_buffer_free(&http->trailer_recvbuf);
@@ -1161,6 +1157,12 @@ void Curl_http2_done(struct connectdata *conn, bool premature)
     }
   }
 
+  if(!httpc->h2) /* not HTTP/2 ? */
+    return;
+
+  if(data->state.drain)
+    drained_transfer(data, httpc);
+
   if(premature) {
     /* RST_STREAM */
     if(!nghttp2_submit_rst_stream(httpc->h2, NGHTTP2_FLAG_NONE,
-- 
2.40.0