Fix LUA_OBJCACHE segfault.

When scanning the argument list inside of a redis.call() invocation for pre-cached values, there was no check being done that the argument we were on was in fact within the bounds of the cache size. So if a redis.call() command was ever executed with more than 32 arguments (current cache size #define setting) redis-server could segfault.
author: michael-grunder <michael.grunder@gmail.com> 2014-05-19 13:18:13 -0700
committer: michael-grunder <michael.grunder@gmail.com> 2014-05-19 13:18:13 -0700
commit: ea0e2524aae1bbd0fa6bd29e1867dc1ca133bfa5 (patch)
tree: 70b91ad1d8d657d058f4859de0dafbb7a6dbe40b
parent: a9e62ab9faee3d18478df8583d2bbb2eabfc3cef (diff)
download: redis-ea0e2524aae1bbd0fa6bd29e1867dc1ca133bfa5.tar.gz
1 files changed, 3 insertions, 1 deletions
diff --git a/src/scripting.c b/src/scripting.c
index 401ebcb20..e173f4240 100644
--- a/src/scripting.c
+++ b/src/scripting.c
@@ -237,7 +237,9 @@ int luaRedisGenericCommand(lua_State *lua, int raise_error) {
         if (obj_s == NULL) break; /* Not a string. */
 
         /* Try to use a cached object. */
-        if (cached_objects[j] && cached_objects_len[j] >= obj_len) {
+        if (j < LUA_CMD_OBJCACHE_SIZE && cached_objects[j] && 
+            cached_objects_len[j] >= obj_len) 
+        {
             char *s = cached_objects[j]->ptr;
             struct sdshdr *sh = (void*)(s-(sizeof(struct sdshdr)));
author	michael-grunder <michael.grunder@gmail.com>	2014-05-19 13:18:13 -0700
committer	michael-grunder <michael.grunder@gmail.com>	2014-05-19 13:18:13 -0700
commit	ea0e2524aae1bbd0fa6bd29e1867dc1ca133bfa5 (patch)
tree	70b91ad1d8d657d058f4859de0dafbb7a6dbe40b
parent	a9e62ab9faee3d18478df8583d2bbb2eabfc3cef (diff)
download	redis-ea0e2524aae1bbd0fa6bd29e1867dc1ca133bfa5.tar.gz