Avoid integer overflows in SETRANGE and SORT (CVE-2022-35977) (#11720)

Authenticated users issuing specially crafted SETRANGE and SORT(_RO) commands can trigger an integer overflow, resulting with Redis attempting to allocate impossible amounts of memory and abort with an OOM panic.
author: Oran Agra <oran@redislabs.com> 2023-01-16 13:49:30 +0200
committer: GitHub <noreply@github.com> 2023-01-16 13:49:30 +0200
commit: 1ec82e6e97e1db06a72ca505f9fbf6b981f31ef7 (patch)
tree: 6d15d2f79f93f70f671bdcab84b38f85b7a3f171 /src/sort.c
parent: 395d801a2d978c3bb3139498c51825c393ae4450 (diff)
download: redis-1ec82e6e97e1db06a72ca505f9fbf6b981f31ef7.tar.gz
1 files changed, 4 insertions, 2 deletions
diff --git a/src/sort.c b/src/sort.c
index 3132d17e1..77f4cbbc4 100644
--- a/src/sort.c
+++ b/src/sort.c
@@ -328,8 +328,10 @@ void sortCommandGeneric(client *c, int readonly) {
     default: vectorlen = 0; serverPanic("Bad SORT type"); /* Avoid GCC warning */
     }
 
-    /* Perform LIMIT start,count sanity checking. */
-    start = (limit_start < 0) ? 0 : limit_start;
+    /* Perform LIMIT start,count sanity checking.
+     * And avoid integer overflow by limiting inputs to object sizes. */
+    start = min(max(limit_start, 0), vectorlen);
+    limit_count = min(max(limit_count, -1), vectorlen);
     end = (limit_count < 0) ? vectorlen-1 : start+limit_count-1;
     if (start >= vectorlen) {
         start = vectorlen-1;
author	Oran Agra <oran@redislabs.com>	2023-01-16 13:49:30 +0200
committer	GitHub <noreply@github.com>	2023-01-16 13:49:30 +0200
commit	1ec82e6e97e1db06a72ca505f9fbf6b981f31ef7 (patch)
tree	6d15d2f79f93f70f671bdcab84b38f85b7a3f171 /src/sort.c
parent	395d801a2d978c3bb3139498c51825c393ae4450 (diff)
download	redis-1ec82e6e97e1db06a72ca505f9fbf6b981f31ef7.tar.gz