diff options
author | Oran Agra <oran@redislabs.com> | 2021-11-23 14:56:52 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-11-23 14:56:52 +0200 |
commit | a3a014294f019c17db5abba9011524626a41c7cf (patch) | |
tree | 34ffd26f1148aad72bf5cc9797127e1a3bbc9b82 /tests/integration | |
parent | b161cff5f92a01acc23ac4ff533e65bda579e1a6 (diff) | |
download | redis-a3a014294f019c17db5abba9011524626a41c7cf.tar.gz |
fix invalid read on corrupt ziplist (#9831)
If the last bytes in ziplist are corrupt and we decode from tail to head,
we may reach slightly outside the ziplist.
Diffstat (limited to 'tests/integration')
-rw-r--r-- | tests/integration/corrupt-dump.tcl | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/tests/integration/corrupt-dump.tcl b/tests/integration/corrupt-dump.tcl index 995ba7934..d647fcad4 100644 --- a/tests/integration/corrupt-dump.tcl +++ b/tests/integration/corrupt-dump.tcl @@ -774,5 +774,16 @@ test {corrupt payload: fuzzer findings - lpFind invalid access } { } } +test {corrupt payload: fuzzer findings - invalid access in ziplist tail prevlen decoding} { + start_server [list overrides [list loglevel verbose use-exit-on-panic yes crash-memcheck-enabled no] ] { + r debug set-skip-checksum-validation 1 + r config set sanitize-dump-payload no + r restore _listbig 0 "\x12\x02\x02\x1B\x1B\x00\x00\x00\x16\x00\x00\x00\x05\x00\x00\x02\x5F\x39\x04\xF9\x02\x02\x5F\x37\x04\xF7\x02\x02\x5F\x35\xFF\x02\x19\x19\x00\x00\x00\x16\x00\x00\x00\x05\x00\x00\xF5\x02\x02\x5F\x33\x04\xF3\x02\x02\x5F\x31\xFE\xF1\xFF\x0A\x00\x64\x0C\xEB\x03\xDF\x36\x61\xCE" + catch { r RPOPLPUSH _listbig _listbig } + assert_equal [count_log_message 0 "crashed by signal"] 0 + assert_equal [count_log_message 0 "ASSERTION FAILED"] 1 + } +} + } ;# tags |