diff options
author | Oran Agra <oran@redislabs.com> | 2023-01-16 13:49:30 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-01-16 13:49:30 +0200 |
commit | 1ec82e6e97e1db06a72ca505f9fbf6b981f31ef7 (patch) | |
tree | 6d15d2f79f93f70f671bdcab84b38f85b7a3f171 /src/sort.c | |
parent | 395d801a2d978c3bb3139498c51825c393ae4450 (diff) | |
download | redis-1ec82e6e97e1db06a72ca505f9fbf6b981f31ef7.tar.gz |
Avoid integer overflows in SETRANGE and SORT (CVE-2022-35977) (#11720)
Authenticated users issuing specially crafted SETRANGE and SORT(_RO)
commands can trigger an integer overflow, resulting with Redis attempting
to allocate impossible amounts of memory and abort with an OOM panic.
Diffstat (limited to 'src/sort.c')
-rw-r--r-- | src/sort.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/src/sort.c b/src/sort.c index 3132d17e1..77f4cbbc4 100644 --- a/src/sort.c +++ b/src/sort.c @@ -328,8 +328,10 @@ void sortCommandGeneric(client *c, int readonly) { default: vectorlen = 0; serverPanic("Bad SORT type"); /* Avoid GCC warning */ } - /* Perform LIMIT start,count sanity checking. */ - start = (limit_start < 0) ? 0 : limit_start; + /* Perform LIMIT start,count sanity checking. + * And avoid integer overflow by limiting inputs to object sizes. */ + start = min(max(limit_start, 0), vectorlen); + limit_count = min(max(limit_count, -1), vectorlen); end = (limit_count < 0) ? vectorlen-1 : start+limit_count-1; if (start >= vectorlen) { start = vectorlen-1; |