diff options
author | yiyuaner <yguoaz@gmail.com> | 2021-10-04 16:11:09 +0800 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-10-04 11:11:09 +0300 |
commit | 24cc0b984d4ed5045c6ff125b0e619b6ce5ea9c6 (patch) | |
tree | 210f53d689746a8a8ef0ca023d3eeb6c26013920 /src/sds.c | |
parent | 5becb7c9c69d23aa208a8325eae0d02846590a78 (diff) | |
download | redis-24cc0b984d4ed5045c6ff125b0e619b6ce5ea9c6.tar.gz |
Fix integer overflow in _sdsMakeRoomFor (CVE-2021-41099) (#9558)
The existing overflow checks handled the greedy growing, but didn't handle
a case where the addition of the header size is what causes the overflow.
Diffstat (limited to 'src/sds.c')
-rw-r--r-- | src/sds.c | 6 |
1 files changed, 3 insertions, 3 deletions
@@ -239,7 +239,7 @@ void sdsclear(sds s) { sds _sdsMakeRoomFor(sds s, size_t addlen, int greedy) { void *sh, *newsh; size_t avail = sdsavail(s); - size_t len, newlen; + size_t len, newlen, reqlen; char type, oldtype = s[-1] & SDS_TYPE_MASK; int hdrlen; size_t usable; @@ -249,7 +249,7 @@ sds _sdsMakeRoomFor(sds s, size_t addlen, int greedy) { len = sdslen(s); sh = (char*)s-sdsHdrSize(oldtype); - newlen = (len+addlen); + reqlen = newlen = (len+addlen); assert(newlen > len); /* Catch size_t overflow */ if (greedy == 1) { if (newlen < SDS_MAX_PREALLOC) @@ -266,7 +266,7 @@ sds _sdsMakeRoomFor(sds s, size_t addlen, int greedy) { if (type == SDS_TYPE_5) type = SDS_TYPE_8; hdrlen = sdsHdrSize(type); - assert(hdrlen + newlen + 1 > len); /* Catch size_t overflow */ + assert(hdrlen + newlen + 1 > reqlen); /* Catch size_t overflow */ if (oldtype==type) { newsh = s_realloc_usable(sh, hdrlen+newlen+1, &usable); if (newsh == NULL) return NULL; |