commit 00005e46cef3c823411fbe2b929041eacfe9226c
Author: Daniel Stenberg <daniel@haxx.se>
Date:   Mon May 16 16:28:13 2022 +0200

    [Backport] content_encoding: return error on too many compression steps
    
    Offering: RTOS
    CVE: CVE-2022-32206
    Reference: upstream_commit_id=3a09fbb7f264c67c438d01a30669ce325aa508e2
    
    DTS/AR: DTS2022063005656
    type: LTS
    reason: fix CVE-2022-32206 for curl.
    weblink:https://github.com/curl/curl/commit/3a09fbb7f264c67c438d01a30669ce325aa508e2
    
    The max allowed steps is arbitrarily set to 5.
    
    Bug: https://curl.se/docs/CVE-2022-32206.html
    CVE-2022-32206
    Reported-by: Harry Sintonen
    Closes #9049
    
    Signed-off-by: jiahuasheng <jiahuasheng@h-partners.com>

diff --git a/lib/content_encoding.c b/lib/content_encoding.c
index a84ff543b..e78cd1cab 100644
--- a/lib/content_encoding.c
+++ b/lib/content_encoding.c
@@ -1025,12 +1025,16 @@ static const struct content_encoding *find_encoding(const char *name,
   return NULL;
 }
 
+/* allow no more than 5 "chained" compression steps */
+#define MAX_ENCODE_STACK 5
+
 /* Set-up the unencoding stack from the Content-Encoding header value.
  * See RFC 7231 section 3.1.2.2. */
 CURLcode Curl_build_unencoding_stack(struct Curl_easy *data,
                                      const char *enclist, int maybechunked)
 {
   struct SingleRequest *k = &data->req;
+  int counter = 0;
 
   do {
     const char *name;
@@ -1065,6 +1069,11 @@ CURLcode Curl_build_unencoding_stack(struct Curl_easy *data,
       if(!encoding)
         encoding = &error_encoding;  /* Defer error at stack use. */
 
+      if(++counter >= MAX_ENCODE_STACK) {
+        failf(data, "Reject response due to %u content encodings",
+              counter);
+        return CURLE_BAD_CONTENT_ENCODING;
+      }
       /* Stack the unencoding stage. */
       writer = new_unencoding_writer(data, encoding, k->writer_stack);
       if(!writer)