diff options
author | Yossi Gottlieb <yossigo@gmail.com> | 2021-10-12 20:16:29 +0300 |
---|---|---|
committer | Oran Agra <oran@redislabs.com> | 2022-04-27 16:31:52 +0300 |
commit | 21ab5d4f78891aec57818b8118367d339f0bfb5d (patch) | |
tree | a890e5e1668b8868fa57ae57741170b9baaa8ba7 | |
parent | 0fb96d55bd4d82c1f02442a16b19a2245cfd73e9 (diff) | |
download | redis-21ab5d4f78891aec57818b8118367d339f0bfb5d.tar.gz |
hiredis: improve calloc() overflow fix. (#9630)
Cherry pick a more complete fix to 0215324a6 that also doesn't leak
memory from latest hiredis.
(cherry picked from commit 922ef86a3b1c15292e1f35338a0ac137a08a11b4)
-rw-r--r-- | deps/hiredis/alloc.c | 4 | ||||
-rw-r--r-- | deps/hiredis/alloc.h | 5 | ||||
-rw-r--r-- | deps/hiredis/hiredis.c | 1 |
3 files changed, 9 insertions, 1 deletions
diff --git a/deps/hiredis/alloc.c b/deps/hiredis/alloc.c index 7fb6b35e7..0902286c7 100644 --- a/deps/hiredis/alloc.c +++ b/deps/hiredis/alloc.c @@ -68,6 +68,10 @@ void *hi_malloc(size_t size) { } void *hi_calloc(size_t nmemb, size_t size) { + /* Overflow check as the user can specify any arbitrary allocator */ + if (SIZE_MAX / size < nmemb) + return NULL; + return hiredisAllocFns.callocFn(nmemb, size); } diff --git a/deps/hiredis/alloc.h b/deps/hiredis/alloc.h index 34a05f49f..771f9fee5 100644 --- a/deps/hiredis/alloc.h +++ b/deps/hiredis/alloc.h @@ -32,6 +32,7 @@ #define HIREDIS_ALLOC_H #include <stddef.h> /* for size_t */ +#include <stdint.h> #ifdef __cplusplus extern "C" { @@ -59,6 +60,10 @@ static inline void *hi_malloc(size_t size) { } static inline void *hi_calloc(size_t nmemb, size_t size) { + /* Overflow check as the user can specify any arbitrary allocator */ + if (SIZE_MAX / size < nmemb) + return NULL; + return hiredisAllocFns.callocFn(nmemb, size); } diff --git a/deps/hiredis/hiredis.c b/deps/hiredis/hiredis.c index 990f61960..51f22a665 100644 --- a/deps/hiredis/hiredis.c +++ b/deps/hiredis/hiredis.c @@ -174,7 +174,6 @@ static void *createArrayObject(const redisReadTask *task, size_t elements) { return NULL; if (elements > 0) { - if (SIZE_MAX / sizeof(redisReply*) < elements) return NULL; /* Don't overflow */ r->element = hi_calloc(elements,sizeof(redisReply*)); if (r->element == NULL) { freeReplyObject(r); |