Fix null pointer dereference (Closes: #916190)

3 files changed, 27 insertions, 0 deletions

diff --git a/debian/changelog b/debian/changelog
index 70bd0dd..d2aedbb 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+mini-httpd (1.30-0.2) UNRELEASED; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix null pointer dereference (Closes: #916190)
+    + Thanks: Salva Peiró <speirofr@gmail.com>
+
+ -- Dmitry Bogatov <KAction@debian.org>  Wed, 12 Dec 2018 05:07:58 +0000
+
 mini-httpd (1.30-0.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff --git a/debian/patches/fix-nullpointer-dereference b/debian/patches/fix-nullpointer-dereference
new file mode 100644
index 0000000..2e4fdf8
--- /dev/null
+++ b/debian/patches/fix-nullpointer-dereference
@@ -0,0 +1,18 @@
+---
+ mini_httpd.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/mini_httpd.c b/mini_httpd.c
+index 03d0cdd..77f030f 100644
+--- a/mini_httpd.c
++++ b/mini_httpd.c
+@@ -2404,7 +2404,8 @@ auth_check( char* dirname )
+ 	    /* Yes. */
+ 	    (void) fclose( fp );
+ 	    /* So is the password right? */
+-	    if ( strcmp( crypt( authpass, cryp ), cryp ) == 0 )
++	    char *cryptpass = crypt( authpass, cryp );
++	    if ((cryptpass != NULL) && (strcmp(cryptpass, cryp ) == 0) )
+ 		{
+ 		/* Ok! */
+ 		remoteuser = line;
diff --git a/debian/patches/series b/debian/patches/series
index 7dfdbf3..1356142 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -7,3 +7,4 @@ fix-change-index-document-root
 fix-makefile
 05-manpage-hyphen
 fix-ftbfs-kfreebsd-amd64
+fix-nullpointer-dereference