From f2d316341c00a343d0b46edd590efa8c102521c3 Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Fri, 27 Dec 2024 17:53:50 -0600
Subject: [PATCH 1/2] soup_message_headers_get_content_disposition: Fix NULL
 deref

---
 libsoup/soup-message-headers.c | 13 +++++++++----
 tests/header-parsing-test.c    | 13 +++++++++++++
 2 files changed, 22 insertions(+), 4 deletions(-)

diff --git a/libsoup/soup-message-headers.c b/libsoup/soup-message-headers.c
index 5c8c7cb9..ccf31233 100644
--- a/libsoup/soup-message-headers.c
+++ b/libsoup/soup-message-headers.c
@@ -1443,10 +1443,15 @@ soup_message_headers_get_content_disposition (SoupMessageHeaders  *hdrs,
 	 */
 	if (params && g_hash_table_lookup_extended (*params, "filename",
 						    &orig_key, &orig_value)) {
-		char *filename = strrchr (orig_value, '/');
-
-		if (filename)
-			g_hash_table_insert (*params, g_strdup (orig_key), filename + 1);
+                if (orig_value) {
+                        char *filename = strrchr (orig_value, '/');
+
+                        if (filename)
+                                g_hash_table_insert (*params, g_strdup (orig_key), filename + 1);
+                } else {
+                        /* filename with no value isn't valid. */
+                        g_hash_table_remove (*params, "filename");
+                }
 	}
 	return TRUE;
 }
-- 
2.49.0


From dd3a245941f117832dd1fdda4f8bc68b44e2810d Mon Sep 17 00:00:00 2001
From: Patrick Griffis <pgriffis@igalia.com>
Date: Fri, 27 Dec 2024 18:00:39 -0600
Subject: [PATCH 2/2] soup_message_headers_get_content_disposition: strdup
 truncated filenames

This table frees the strings it contains.
---
 libsoup/soup-message-headers.c | 2 +-
 tests/header-parsing-test.c    | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/libsoup/soup-message-headers.c b/libsoup/soup-message-headers.c
index ccf31233..64847e30 100644
--- a/libsoup/soup-message-headers.c
+++ b/libsoup/soup-message-headers.c
@@ -1447,7 +1447,7 @@ soup_message_headers_get_content_disposition (SoupMessageHeaders  *hdrs,
                         char *filename = strrchr (orig_value, '/');
 
                         if (filename)
-                                g_hash_table_insert (*params, g_strdup (orig_key), filename + 1);
+                                g_hash_table_insert (*params, g_strdup (orig_key), g_strdup (filename + 1));
                 } else {
                         /* filename with no value isn't valid. */
                         g_hash_table_remove (*params, "filename");
-- 
2.49.0