Fix integer overflow in STRALGO LCS (CVE-2021-29477)

An integer overflow bug in Redis version 6.0 or newer could be exploited using the STRALGO LCS command to corrupt the heap and potentially result with remote code execution. (cherry picked from commit f0c5f920d0f88bd8aa376a2c05af4902789d1ef9)
author: Oran Agra <oran@redislabs.com> 2021-05-03 08:32:31 +0300
committer: Oran Agra <oran@redislabs.com> 2021-05-03 22:57:00 +0300
commit: 92e3b1802f72ca0c5b0bde97f01d9b57a758d85c (patch)
tree: 736b8ef647c4a0baa50312cf73b920b27aac8018
parent: 046352069396fe3be0a50ca505cb65af15c0d995 (diff)
download: redis-92e3b1802f72ca0c5b0bde97f01d9b57a758d85c.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/src/t_string.c b/src/t_string.c
index 0967e30e1..490d5983a 100644
--- a/src/t_string.c
+++ b/src/t_string.c
@@ -805,7 +805,7 @@ void stralgoLCS(client *c) {
     /* Setup an uint32_t array to store at LCS[i,j] the length of the
      * LCS A0..i-1, B0..j-1. Note that we have a linear array here, so
      * we index it as LCS[j+(blen+1)*j] */
-    uint32_t *lcs = zmalloc((alen+1)*(blen+1)*sizeof(uint32_t));
+    uint32_t *lcs = zmalloc((size_t)(alen+1)*(blen+1)*sizeof(uint32_t));
     #define LCS(A,B) lcs[(B)+((A)*(blen+1))]
 
     /* Start building the LCS table. */
author	Oran Agra <oran@redislabs.com>	2021-05-03 08:32:31 +0300
committer	Oran Agra <oran@redislabs.com>	2021-05-03 22:57:00 +0300
commit	92e3b1802f72ca0c5b0bde97f01d9b57a758d85c (patch)
tree	736b8ef647c4a0baa50312cf73b920b27aac8018
parent	046352069396fe3be0a50ca505cb65af15c0d995 (diff)
download	redis-92e3b1802f72ca0c5b0bde97f01d9b57a758d85c.tar.gz