The bug happens with an existing entry, when you try to overwrite the
value with wrong data, for example, a string when the type is INT.
The code path was not secure and tried to set *err and *merr while
err = merr = NULL when performing an http action.
Must be backported in 1.6, 1.7, 1.8.
---
src/pattern.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/src/pattern.c b/src/pattern.c
index 2eb826501..35c1c7e80 100644
--- a/src/pattern.c
+++ b/src/pattern.c
@@ -1815,12 +1815,14 @@ int pat_ref_set(struct pat_ref *ref, const char *key,
const char *value, char **
list_for_each_entry(elt, &ref->head, list) {
if (strcmp(key, elt->pattern) == 0) {
if (!pat_ref_set_elt(ref, elt, value, merr)) {
- if (!found)
- *err = *merr;
- else {
- memprintf(err, "%s, %s", *err, *merr);
- free(*merr);
- *merr = NULL;
+ if (err && merr) {
+ if (!found) {
+ *err = *merr;
+ } else {
+ memprintf(err, "%s, %s", *err,
*merr);
+ free(*merr);
+ *merr = NULL;
+ }
}
}
found = 1;
--
2.16.1
