From 7b50dff9562dbf9ead76fd6ae29d5b0f396fa98b Mon Sep 17 00:00:00 2001
From: Karl Seguin <k@openmymind.io>
Date: Fri, 24 Apr 2026 18:19:12 +0800
Subject: [PATCH] Fix a user-after-free on an empty (and invalid) empty
 location

Improves WPT: /fetch/api/redirect/redirect-empty-location.any.html
---
 src/browser/HttpClient.zig | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/src/browser/HttpClient.zig b/src/browser/HttpClient.zig
index bc31adc2..fc217e3d 100644
--- a/src/browser/HttpClient.zig
+++ b/src/browser/HttpClient.zig
@@ -1564,10 +1564,18 @@ pub const Transfer = struct {
             return error.LocationNotFound;
         };
 
-        const base_url = try conn.getEffectiveUrl();
-        const url = try URL.resolve(arena, std.mem.span(base_url), location.value, .{});
-        try transfer.updateURL(url);
+        const url: [:0]const u8 = blk: {
+            if (location.value.len == 0) {
+                // Might seem silly, but URL.resovle will return location.value as-is
+                // if empty, and location.value is memory owned by libcurl.
+                break :blk "";
+            }
 
+            const base_url = try conn.getEffectiveUrl();
+            break :blk try URL.resolve(arena, std.mem.span(base_url), location.value, .{});
+        };
+
+        try transfer.updateURL(url);
         // 301, 302, 303 → change to GET, drop body.
         // 307, 308 → keep method and body.
         const status = try conn.getResponseCode();