diff options
author | Oran Agra <oran@redislabs.com> | 2021-08-05 22:56:14 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-08-05 22:56:14 +0300 |
commit | 0c90370e6d71cc68e4d9cc79a0d8b1e768712a5b (patch) | |
tree | f8feca4d562a45219246756cd5af37f2ad5d154a /src/dict.c | |
parent | 8ea777a6a02cae22aeff95f054d810f30b7b69ad (diff) | |
download | redis-0c90370e6d71cc68e4d9cc79a0d8b1e768712a5b.tar.gz |
Improvements to corrupt payload sanitization (#9321)
Recently we found two issues in the fuzzer tester: #9302 #9285
After fixing them, more problems surfaced and this PR (as well as #9297) aims to fix them.
Here's a list of the fixes
- Prevent an overflow when allocating a dict hashtable
- Prevent OOM when attempting to allocate a huge string
- Prevent a few invalid accesses in listpack
- Improve sanitization of listpack first entry
- Validate integrity of stream consumer groups PEL
- Validate integrity of stream listpack entry IDs
- Validate ziplist tail followed by extra data which start with 0xff
Co-authored-by: sundb <sundbcn@gmail.com>
Diffstat (limited to 'src/dict.c')
-rw-r--r-- | src/dict.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/src/dict.c b/src/dict.c index 3ae975049..bc03b0c96 100644 --- a/src/dict.c +++ b/src/dict.c @@ -152,17 +152,22 @@ int _dictExpand(dict *d, unsigned long size, int* malloc_failed) unsigned long new_ht_used; char new_ht_size_exp = _dictNextExp(size); + /* Detect overflows */ + size_t newsize = 1ul<<new_ht_size_exp; + if (newsize < size || newsize * sizeof(dictEntry*) < newsize) + return DICT_ERR; + /* Rehashing to the same table size is not useful. */ if (new_ht_size_exp == d->ht_size_exp[0]) return DICT_ERR; /* Allocate the new hash table and initialize all pointers to NULL */ if (malloc_failed) { - new_ht_table = ztrycalloc(((unsigned long)1<<new_ht_size_exp)*sizeof(dictEntry*)); + new_ht_table = ztrycalloc(newsize*sizeof(dictEntry*)); *malloc_failed = new_ht_table == NULL; if (*malloc_failed) return DICT_ERR; } else - new_ht_table = zcalloc(((unsigned long)1<<new_ht_size_exp)*sizeof(dictEntry*)); + new_ht_table = zcalloc(newsize*sizeof(dictEntry*)); new_ht_used = 0; |