Index: src/include/k5-int.h
===================================================================
--- src/include/k5-int.h	(revision 19537)
+++ src/include/k5-int.h	(revision 19538)
@@ -1048,9 +1048,9 @@
 #define KRB5_GET_INIT_CREDS_OPT_SHADOWED 0x40000000
 
 #define krb5_gic_opt_is_extended(s) \
-    (((s)->flags & KRB5_GET_INIT_CREDS_OPT_EXTENDED) ? 1 : 0)
+    ((s) && ((s)->flags & KRB5_GET_INIT_CREDS_OPT_EXTENDED) ? 1 : 0)
 #define krb5_gic_opt_is_shadowed(s) \
-    (((s)->flags & KRB5_GET_INIT_CREDS_OPT_SHADOWED) ? 1 : 0)
+    ((s) && ((s)->flags & KRB5_GET_INIT_CREDS_OPT_SHADOWED) ? 1 : 0)
 
 
 typedef struct _krb5_gic_opt_private {
Index: src/lib/krb5/krb/gic_opt.c
===================================================================
--- src/lib/krb5/krb/gic_opt.c	(revision 19537)
+++ src/lib/krb5/krb/gic_opt.c	(revision 19538)
@@ -206,8 +206,18 @@
     oe = krb5int_gic_opte_alloc(context);
     if (NULL == oe)
 	return ENOMEM;
-    memcpy(oe, opt, sizeof(*opt));
-    /* Fix these -- overwritten by the copy */
+
+    if (opt)
+        memcpy(oe, opt, sizeof(*opt));
+
+    /*
+     * Fix the flags -- the EXTENDED flag would have been
+     * overwritten by the copy if there was one.  The
+     * SHADOWED flag is necessary to ensure that the
+     * krb5_gic_opt_ext structure that was allocated
+     * here will be freed by the library because the
+     * application is unaware of its existence.
+     */
     oe->flags |= ( KRB5_GET_INIT_CREDS_OPT_EXTENDED |
 		   KRB5_GET_INIT_CREDS_OPT_SHADOWED);