CVE-2022-32221 curl POST-after-PUT use-after-free

CVE-2022-32221 — Use-after-free in curl 7.84.0 when reusing a CURL easy handle that previously performed a PUT (with CURLOPT_READFUNCTION) for a subsequent POST with CURLOPT_POSTFIELDS. libcurl continued to invoke the prior PUT read-callback path on the reused connection, dereferencing memory the application had already freed. CVE-2022-32221 — UAF in curl when POST follows PUT on the same handle with connection reuse. Setting CURLOPT_POSTFIELDS changes set.method to HTTPREQ_POST but does not clear set.upload or rebind data->state.fread_func/data->state.in, so the stale PUT read-callback (and its possibly-freed user buffer) is still invoked when the POST body is sent.