From: Michael R Sweet <michael.r.sweet@gmail.com>
Date: Thu, 18 Apr 2019 11:52:54 +0000 (-0400)
Subject: Fix a memory reallocation bug in HTTP header value expansion
X-Git-Tag: v2.3b8~45
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9a51a8159fe4231a31e9a20084ae3ce3f4e8e366;p=thirdparty%2Fcups.git

Fix a memory reallocation bug in HTTP header value expansion
(rdar://problem/50000749)
---

diff --git a/CHANGES.md b/CHANGES.md
index ae874c2b5b..f673ea2220 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -1,4 +1,4 @@
-CHANGES - 2.3b8 - 2019-04-15
+CHANGES - 2.3b8 - 2019-04-18
 ============================
 
 
@@ -9,6 +9,8 @@ Changes in CUPS v2.3b8
 - The lpadmin command would hang with a bad PPD file (rdar://41495016)
 - Fixed a potential crash bug in cups-driverd (rdar://46625579)
 - Fixed a performance regression with large PPDs (rdar://47040759)
+- Fixed a memory reallocation bug in HTTP header value expansion
+  (rdar://problem/50000749)
 - Restored minimal support for the `Emulators` keyword in PPD files to allow
   old Samsung printer drivers to continue to work (Issue #5562)
 - The scheduler did not encode octetString values like "job-password" correctly
diff --git a/cups/http.c b/cups/http.c
index df9b7bdd66..ff8f6918f8 100644
--- a/cups/http.c
+++ b/cups/http.c
@@ -3644,7 +3644,15 @@ http_add_field(http_t       *http,	/* I - HTTP connection */
 
     char	*combined;		/* New value string */
 
-    if ((combined = realloc(http->fields[field], total + 1)) != NULL)
+    if (http->fields[field] == http->_fields[field])
+    {
+      if ((combined = malloc(total + 1)) != NULL)
+      {
+	http->fields[field] = combined;
+	snprintf(combined, total + 1, "%s, %s", http->_fields[field], value);
+      }
+    }
+    else if ((combined = realloc(http->fields[field], total + 1)) != NULL)
     {
       http->fields[field] = combined;
       strlcat(combined, ", ", total + 1);