I was manually messing with my DB to try and fix some earlier manual messing with my DB. I created a situation that exposed a bug in the following code:
There is an NPE vulnerability here. The code on line 421 anticipates and handles a situation where fl may be null. However, line 423 will NPE if fl is null.
Admittedly, this situation has arisen because I have fiddled with the database. So I don't know how likely this situation is to arise in the real-world. Nevertheless, it seems a bit untidy that on the one hand we are anticipating that fl might be null, and on the other hand assuming that it isn't.
Windows 10, Open JDK 11