In the function header_out_write_value(), the counter qpd_bytes_out is updated after dhi_process_header() is called, instead of before:
r = dec->qpd_dh_if->dhi_process_header(read_ctx->hbrc_hblock, xhdr);
if (r == 0)
dec->qpd_bytes_out += xhdr->name_len + xhdr->val_len;The problem here is that the user callback is free to modify xhdr in any manner, potentially making name_len and val_len invalid.
In the function
header_out_write_value(), the counterqpd_bytes_outis updated afterdhi_process_header()is called, instead of before:The problem here is that the user callback is free to modify
xhdrin any manner, potentially makingname_lenandval_leninvalid.