HTTP multi-header compression denial of service

curl supports “chained” HTTP compression algorithms, meaning that a server
response can be compressed multiple times and potentially with different
algorithms. The number of acceptable “links” in this “decompression chain” was
capped, but the cap was implemented on a per-header basis allowing a malicious
server to insert a virtually unlimited number of compression steps simply by
using many headers.

The use of such a decompression chain could result in a “malloc bomb”, making
curl end up spending enormous amounts of allocated heap memory, or trying to
and returning out of memory errors.