diff options
| author | michael-grunder <michael.grunder@gmail.com> | 2014-05-19 13:18:13 -0700 |
|---|---|---|
| committer | antirez <antirez@gmail.com> | 2014-05-20 16:20:38 +0200 |
| commit | d491a479bc373310af1a106b11b92c5a596bbca4 (patch) | |
| tree | a1a40a8a4dc6fd12046d18df681419b7de822e54 | |
| parent | d575f7a147fc28fdb879d30f3f09a0afe6bf57d7 (diff) | |
| download | redis-d491a479bc373310af1a106b11b92c5a596bbca4.tar.gz | |
Fix LUA_OBJCACHE segfault.
When scanning the argument list inside of a redis.call() invocation
for pre-cached values, there was no check being done that the
argument we were on was in fact within the bounds of the cache size.
So if a redis.call() command was ever executed with more than 32
arguments (current cache size #define setting) redis-server could
segfault.
| -rw-r--r-- | src/scripting.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/src/scripting.c b/src/scripting.c index 62bc02d87..1298327e3 100644 --- a/src/scripting.c +++ b/src/scripting.c @@ -237,7 +237,9 @@ int luaRedisGenericCommand(lua_State *lua, int raise_error) { if (obj_s == NULL) break; /* Not a string. */ /* Try to use a cached object. */ - if (cached_objects[j] && cached_objects_len[j] >= obj_len) { + if (j < LUA_CMD_OBJCACHE_SIZE && cached_objects[j] && + cached_objects_len[j] >= obj_len) + { char *s = cached_objects[j]->ptr; struct sdshdr *sh = (void*)(s-(sizeof(struct sdshdr))); |