You are viewing a plain text version of this content. The canonical link for it is here.

Posted to cvs@httpd.apache.org by ma...@apache.org on 2019/09/10 19:36:38 UTC

svn commit: r1866760 - /httpd/apreq/trunk/library/parser_multipart.c

Author: max
Date: Tue Sep 10 19:36:38 2019
New Revision: 1866760

URL: http://svn.apache.org/viewvc?rev=1866760&view=rev
Log:
parser_multipart: fix NULL pointer dereference in nested multipart

create_multipart_context() can return NULL if the given Content-Type
was not recognized (if there is no "boundary" attribute).  This
crashes libapreq2.

This bug was introduced by SVN commit 227276.  Prior to this commit,
there was a NULL check, but the commit removed it:

 http://svn.apache.org/viewvc/httpd/apreq/trunk/library/parser_multipart.c?r1=227276&r2=227275&pathrev=227276


Modified:
    httpd/apreq/trunk/library/parser_multipart.c

Modified: httpd/apreq/trunk/library/parser_multipart.c
URL: http://svn.apache.org/viewvc/httpd/apreq/trunk/library/parser_multipart.c?rev=1866760&r1=1866759&r2=1866760&view=diff
==============================================================================
--- httpd/apreq/trunk/library/parser_multipart.c (original)
+++ httpd/apreq/trunk/library/parser_multipart.c Tue Sep 10 19:36:38 2019
@@ -410,6 +410,10 @@ APREQ_DECLARE_PARSER(apreq_parse_multipa
                                                     parser->brigade_limit,
                                                     parser->temp_dir,
                                                     ctx->level + 1);
+                if (next_ctx == NULL) {
+                    ctx->status = MFD_ERROR;
+                    goto mfd_parse_brigade;
+                }
 
                 next_ctx->param_name = "";