diff options
author | Oran Agra <oran@redislabs.com> | 2021-11-23 14:56:52 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-11-23 14:56:52 +0200 |
commit | a3a014294f019c17db5abba9011524626a41c7cf (patch) | |
tree | 34ffd26f1148aad72bf5cc9797127e1a3bbc9b82 /src/ziplist.c | |
parent | b161cff5f92a01acc23ac4ff533e65bda579e1a6 (diff) | |
download | redis-a3a014294f019c17db5abba9011524626a41c7cf.tar.gz |
fix invalid read on corrupt ziplist (#9831)
If the last bytes in ziplist are corrupt and we decode from tail to head,
we may reach slightly outside the ziplist.
Diffstat (limited to 'src/ziplist.c')
-rw-r--r-- | src/ziplist.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/src/ziplist.c b/src/ziplist.c index 3b5b7c356..8a65f3931 100644 --- a/src/ziplist.c +++ b/src/ziplist.c @@ -1160,6 +1160,8 @@ unsigned char *ziplistIndex(unsigned char *zl, int index) { /* No need for "safe" check: when going backwards, we know the header * we're parsing is in the range, we just need to assert (below) that * the size we take doesn't cause p to go outside the allocation. */ + ZIP_DECODE_PREVLENSIZE(p, prevlensize); + assert(p + prevlensize < zl + zlbytes - ZIPLIST_END_SIZE); ZIP_DECODE_PREVLEN(p, prevlensize, prevlen); while (prevlen > 0 && index--) { p -= prevlen; |