diff options
author | Oran Agra <oran@redislabs.com> | 2021-05-03 08:32:31 +0300 |
---|---|---|
committer | Oran Agra <oran@redislabs.com> | 2021-05-03 18:59:47 +0300 |
commit | f0c5f920d0f88bd8aa376a2c05af4902789d1ef9 (patch) | |
tree | b19b7577c001b2ff50e755105e8010344a9f3a0b /src | |
parent | 29900d4e6bccdf3691bedf0ea9a5d84863fa3592 (diff) | |
download | redis-f0c5f920d0f88bd8aa376a2c05af4902789d1ef9.tar.gz |
Fix integer overflow in STRALGO LCS (CVE-2021-29477)
An integer overflow bug in Redis version 6.0 or newer could be exploited using
the STRALGO LCS command to corrupt the heap and potentially result with remote
code execution.
Diffstat (limited to 'src')
-rw-r--r-- | src/t_string.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/t_string.c b/src/t_string.c index 9228c5ed0..db6f7042e 100644 --- a/src/t_string.c +++ b/src/t_string.c @@ -805,7 +805,7 @@ void stralgoLCS(client *c) { /* Setup an uint32_t array to store at LCS[i,j] the length of the * LCS A0..i-1, B0..j-1. Note that we have a linear array here, so * we index it as LCS[j+(blen+1)*j] */ - uint32_t *lcs = zmalloc((alen+1)*(blen+1)*sizeof(uint32_t)); + uint32_t *lcs = zmalloc((size_t)(alen+1)*(blen+1)*sizeof(uint32_t)); #define LCS(A,B) lcs[(B)+((A)*(blen+1))] /* Start building the LCS table. */ |