Fix integer overflow in _sdsMakeRoomFor (CVE-2021-41099)

author: YiyuanGUO <yguoaz@gmail.com> 2021-09-29 10:20:35 +0300
committer: Oran Agra <oran@redislabs.com> 2021-10-04 13:58:43 +0300
commit: 2b0ac7427ba5a6e1bc89380e960b138af893bbdd (patch)
tree: d371bc96bf6fd67d3fc1a626b340cf7631795df3
parent: 021af7629590c638ae0d4867d4b397f6e0c38ec8 (diff)
download: redis-2b0ac7427ba5a6e1bc89380e960b138af893bbdd.tar.gz
1 files changed, 3 insertions, 3 deletions
diff --git a/src/sds.c b/src/sds.c
index 12c9da356..73d9807ae 100644
--- a/src/sds.c
+++ b/src/sds.c
@@ -205,7 +205,7 @@ void sdsclear(sds s) {
 sds sdsMakeRoomFor(sds s, size_t addlen) {
     void *sh, *newsh;
     size_t avail = sdsavail(s);
-    size_t len, newlen;
+    size_t len, newlen, reqlen;
     char type, oldtype = s[-1] & SDS_TYPE_MASK;
     int hdrlen;
 
@@ -214,7 +214,7 @@ sds sdsMakeRoomFor(sds s, size_t addlen) {
 
     len = sdslen(s);
     sh = (char*)s-sdsHdrSize(oldtype);
-    newlen = (len+addlen);
+    reqlen = newlen = (len+addlen);
     assert(newlen > len);   /* Catch size_t overflow */
     if (newlen < SDS_MAX_PREALLOC)
         newlen *= 2;
@@ -229,7 +229,7 @@ sds sdsMakeRoomFor(sds s, size_t addlen) {
     if (type == SDS_TYPE_5) type = SDS_TYPE_8;
 
     hdrlen = sdsHdrSize(type);
-    assert(hdrlen+newlen+1 > len);  /* Catch size_t overflow */
+    assert(hdrlen + newlen + 1 > reqlen);  /* Catch size_t overflow */
     if (oldtype==type) {
         newsh = s_realloc(sh, hdrlen+newlen+1);
         if (newsh == NULL) return NULL;
author	YiyuanGUO <yguoaz@gmail.com>	2021-09-29 10:20:35 +0300
committer	Oran Agra <oran@redislabs.com>	2021-10-04 13:58:43 +0300
commit	2b0ac7427ba5a6e1bc89380e960b138af893bbdd (patch)
tree	d371bc96bf6fd67d3fc1a626b340cf7631795df3
parent	021af7629590c638ae0d4867d4b397f6e0c38ec8 (diff)
download	redis-2b0ac7427ba5a6e1bc89380e960b138af893bbdd.tar.gz