From 1f7be3430f119571596745188391b3263261d849 Mon Sep 17 00:00:00 2001
From: Josh Elsasser <josh@elsasser.org>
Date: Tue, 28 Nov 2006 21:45:37 +0000
Subject: [PATCH] Fix an infinite loop triggered by an invalid HTTP chunked
 response.

---
 libtransmission/http.c | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/libtransmission/http.c b/libtransmission/http.c
index 331f179bc..d3ba758d1 100644
--- a/libtransmission/http.c
+++ b/libtransmission/http.c
@@ -679,7 +679,7 @@ static int
 checklength( tr_http_t * http )
 {
     char * buf;
-    int    num, ii, len;
+    int    num, ii, len, lastnum;
 
     switch( http->lengthtype )
     {
@@ -702,10 +702,19 @@ checklength( tr_http_t * http )
             break;
 
         case HTTP_LENGTH_CHUNKED:
-            buf = http->header.buf;
+            buf     = http->header.buf;
+            lastnum = -1;
             while( http->header.used > http->chunkoff + http->chunklen )
             {
                 num = http->chunkoff + http->chunklen;
+                if( lastnum == num )
+                {
+                    /* ugh, some trackers send Transfer-encoding: chunked
+                       and then don't encode the body */
+                    http->lengthtype = HTTP_LENGTH_EOF;
+                    return checklength( http );
+                }
+                lastnum = num;
                 while(  http->header.used > num && NL( buf[num] ) )
                 {
                     num++;
@@ -721,6 +730,8 @@ checklength( tr_http_t * http )
                     len = strtol( buf + num, NULL, 16 );
                     if( 0 == len )
                     {
+                        /* XXX should handle invalid length
+                               differently than 0 length chunk */
                         http->header.used = http->chunkoff + http->chunklen;
                         return 1;
                     }