diff options
author | Oran Agra <oran@redislabs.com> | 2021-08-05 22:56:14 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-08-05 22:56:14 +0300 |
commit | 0c90370e6d71cc68e4d9cc79a0d8b1e768712a5b (patch) | |
tree | f8feca4d562a45219246756cd5af37f2ad5d154a /src/ziplist.c | |
parent | 8ea777a6a02cae22aeff95f054d810f30b7b69ad (diff) | |
download | redis-0c90370e6d71cc68e4d9cc79a0d8b1e768712a5b.tar.gz |
Improvements to corrupt payload sanitization (#9321)
Recently we found two issues in the fuzzer tester: #9302 #9285
After fixing them, more problems surfaced and this PR (as well as #9297) aims to fix them.
Here's a list of the fixes
- Prevent an overflow when allocating a dict hashtable
- Prevent OOM when attempting to allocate a huge string
- Prevent a few invalid accesses in listpack
- Improve sanitization of listpack first entry
- Validate integrity of stream consumer groups PEL
- Validate integrity of stream listpack entry IDs
- Validate ziplist tail followed by extra data which start with 0xff
Co-authored-by: sundb <sundbcn@gmail.com>
Diffstat (limited to 'src/ziplist.c')
-rw-r--r-- | src/ziplist.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/src/ziplist.c b/src/ziplist.c index 9aab8822c..1b934a292 100644 --- a/src/ziplist.c +++ b/src/ziplist.c @@ -1522,6 +1522,10 @@ int ziplistValidateIntegrity(unsigned char *zl, size_t size, int deep, count++; } + /* Make sure 'p' really does point to the end of the ziplist. */ + if (p != zl + bytes - ZIPLIST_END_SIZE) + return 0; + /* Make sure the <zltail> entry really do point to the start of the last entry. */ if (prev != ZIPLIST_ENTRY_TAIL(zl)) return 0; |