BUG/MAJOR: map: fix a segfault when using http-request set-map

The bug happens with an existing entry, when you try to overwrite the
value with wrong data, for example, a string when the type is INT.

The code path was not secure and tried to set *err and *merr while
err = merr = NULL when performing an http action.

Must be backported in 1.6, 1.7, 1.8.

diff --git a/src/pattern.c b/src/pattern.c
index 2eb82650124886aa5bcebb09825390b776d374ce..35c1c7e8036a27bd725a503b779fd30184dfcab7 100644 (file)
--- a/src/pattern.c
+++ b/src/pattern.c
@@ -1815,12 +1815,14 @@ int pat_ref_set(struct pat_ref *ref, const char *key, const char *value, char **
        list_for_each_entry(elt, &ref->head, list) {
                if (strcmp(key, elt->pattern) == 0) {
                        if (!pat_ref_set_elt(ref, elt, value, merr)) {
-                               if (!found)
-                                       *err = *merr;
-                               else {
-                                       memprintf(err, "%s, %s", *err, *merr);
-                                       free(*merr);
-                                       *merr = NULL;
+                               if (err && merr) {
+                                       if (!found) {
+                                               *err = *merr;
+                                       } else {
+                                               memprintf(err, "%s, %s", *err, *merr);
+                                               free(*merr);
+                                               *merr = NULL;
+                                       }
                                }
                        }
                        found = 1;