From: Joe Orton <jorton@apache.org>
Date: Mon, 30 Sep 2019 09:50:44 +0000 (+0000)
Subject: Merge r1866760 from ^/httpd/apreq/trunk:
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=4fa8d6d8a40bb9c28b3f208598019f4b75da2ec7;p=apache

Merge r1866760 from ^/httpd/apreq/trunk:

parser_multipart: fix NULL pointer dereference in nested multipart

create_multipart_context() can return NULL if the given Content-Type
was not recognized (if there is no "boundary" attribute).  This
crashes libapreq2.

This bug was introduced by SVN commit 227276.  Prior to this commit,
there was a NULL check, but the commit removed it:

 http://svn.apache.org/viewvc/httpd/apreq/trunk/library/parser_multipart.c?r1=227276&r2=227275&pathrev=227276

Submitted by: max


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1867761 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/server/apreq_parser_multipart.c b/server/apreq_parser_multipart.c
index 60b5bad9de..4242b7e9eb 100644
--- a/server/apreq_parser_multipart.c
+++ b/server/apreq_parser_multipart.c
@@ -410,6 +410,10 @@ APREQ_DECLARE_PARSER(apreq_parse_multipart)
                                                     parser->brigade_limit,
                                                     parser->temp_dir,
                                                     ctx->level + 1);
+                if (next_ctx == NULL) {
+                    ctx->status = MFD_ERROR;
+                    goto mfd_parse_brigade;
+                }
 
                 next_ctx->param_name = "";