Fix NULL pointer dereference in httpGetField2 (Issue #5598)

diff --git a/CHANGES.md b/CHANGES.md
index 74c6c59e96e5d2fb7d3d7041586b20c39c669a3d..06eba39b2a35f10c547f90d052c6945b94d5b2a3 100644 (file)
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -1,4 +1,4 @@
-CHANGES - 2.3.0 - 2019-06-13
+CHANGES - 2.3.0 - 2019-06-17
 ============================
 
 
@@ -10,6 +10,7 @@ Changes in CUPS v2.3.0
 - Eliminated some new GCC compiler warnings (Issue #5591)
 - Removed dead code from the scheduler (Issue #5593)
 - "make" failed with GZIP options (Issue #5595)
+- Fixed a NULL pointer dereference bug in `httpGetSubField2` (Issue #5598)
 - Fixed an issue with `EXPECT !name WITH-VALUE ...` tests.
 - Fixed a command ordering issue in the Zebra ZPL driver.
 

diff --git a/cups/http.c b/cups/http.c
index ff8f6918f8bebe403c7706bb4d0553717d4cd201..266a15791a9d0c641b0f616d8c343cce5fb29c6c 100644 (file)
--- a/cups/http.c
+++ b/cups/http.c
@@ -1,8 +1,8 @@
 /*
  * HTTP routines for CUPS.
  *
- * Copyright 2007-2018 by Apple Inc.
- * Copyright 1997-2007 by Easy Software Products, all rights reserved.
+ * Copyright © 2007-2019 by Apple Inc.
+ * Copyright © 1997-2007 by Easy Software Products, all rights reserved.
  *
  * This file contains Kerberos support code, copyright 2006 by
  * Jelmer Vernooij.
@@ -1345,8 +1345,11 @@ httpGetSubField2(http_t       *http,     /* I - HTTP connection */
 
   DEBUG_printf(("2httpGetSubField2(http=%p, field=%d, name=\"%s\", value=%p, valuelen=%d)", (void *)http, field, name, (void *)value, valuelen));
 
+  if (value)
+    *value = '\0';
+
   if (!http || !name || !value || valuelen < 2 ||
-      field <= HTTP_FIELD_UNKNOWN || field >= HTTP_FIELD_MAX)
+      field <= HTTP_FIELD_UNKNOWN || field >= HTTP_FIELD_MAX || !http->fields[field])
     return (NULL);
 
   end = value + valuelen - 1;