diff options
author | Oran Agra <oran@redislabs.com> | 2021-10-04 12:09:25 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-10-04 12:09:25 +0300 |
commit | 7cb89a5a1cc8ee0b003a36b2eba42573c09c45f9 (patch) | |
tree | f230718f561386a8e5698aae3e298cf942265dfe /src/intset.c | |
parent | 24cc0b984d4ed5045c6ff125b0e619b6ce5ea9c6 (diff) | |
download | redis-7cb89a5a1cc8ee0b003a36b2eba42573c09c45f9.tar.gz |
Fix Integer overflow issue with intsets (CVE-2021-32687) (#9586)
The vulnerability involves changing the default set-max-intset-entries
configuration parameter to a very large value and constructing specially
crafted commands to manipulate sets
Diffstat (limited to 'src/intset.c')
-rw-r--r-- | src/intset.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/src/intset.c b/src/intset.c index 4a9214864..0e8365b46 100644 --- a/src/intset.c +++ b/src/intset.c @@ -104,7 +104,8 @@ intset *intsetNew(void) { /* Resize the intset */ static intset *intsetResize(intset *is, uint32_t len) { - uint32_t size = len*intrev32ifbe(is->encoding); + uint64_t size = (uint64_t)len*intrev32ifbe(is->encoding); + assert(size <= SIZE_MAX - sizeof(intset)); is = zrealloc(is,sizeof(intset)+size); return is; } |