Fix integer overflow in STRALGO LCS (CVE-2021-29477)

An integer overflow bug in Redis version 6.0 or newer could be exploited using the STRALGO LCS command to corrupt the heap and potentially result with remote code execution.
author: Oran Agra <oran@redislabs.com> 2021-05-03 08:32:31 +0300
committer: Oran Agra <oran@redislabs.com> 2021-05-03 18:59:47 +0300
commit: f0c5f920d0f88bd8aa376a2c05af4902789d1ef9 (patch)
tree: b19b7577c001b2ff50e755105e8010344a9f3a0b /src/t_string.c
parent: 29900d4e6bccdf3691bedf0ea9a5d84863fa3592 (diff)
download: redis-f0c5f920d0f88bd8aa376a2c05af4902789d1ef9.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/src/t_string.c b/src/t_string.c
index 9228c5ed0..db6f7042e 100644
--- a/src/t_string.c
+++ b/src/t_string.c
@@ -805,7 +805,7 @@ void stralgoLCS(client *c) {
     /* Setup an uint32_t array to store at LCS[i,j] the length of the
      * LCS A0..i-1, B0..j-1. Note that we have a linear array here, so
      * we index it as LCS[j+(blen+1)*j] */
-    uint32_t *lcs = zmalloc((alen+1)*(blen+1)*sizeof(uint32_t));
+    uint32_t *lcs = zmalloc((size_t)(alen+1)*(blen+1)*sizeof(uint32_t));
     #define LCS(A,B) lcs[(B)+((A)*(blen+1))]
 
     /* Start building the LCS table. */
author	Oran Agra <oran@redislabs.com>	2021-05-03 08:32:31 +0300
committer	Oran Agra <oran@redislabs.com>	2021-05-03 18:59:47 +0300
commit	f0c5f920d0f88bd8aa376a2c05af4902789d1ef9 (patch)
tree	b19b7577c001b2ff50e755105e8010344a9f3a0b /src/t_string.c
parent	29900d4e6bccdf3691bedf0ea9a5d84863fa3592 (diff)
download	redis-f0c5f920d0f88bd8aa376a2c05af4902789d1ef9.tar.gz