From: Yossi Gottlieb <yossigo@gmail.com>
Date: Tue, 13 Jul 2021 15:16:14 -0700
Subject: Fix for integer/buffer overflow CVE-2021-32765
This fix prevents hiredis from trying to allocate more than `SIZE_MAX`
bytes, which would result in a buffer overrun.
[Full Details](https://github.com/redis/hiredis/security/advisories/GHSA-hfm9-39pp-55p2)
---
hiredis.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/hiredis.c b/hiredis.c
index 73d0251..a23e980 100644
--- a/hiredis.c
+++ b/hiredis.c
@@ -45,7 +45,7 @@
static redisReply *createReplyObject(int type);
static void *createStringObject(const redisReadTask *task, char *str, size_t len);
-static void *createArrayObject(const redisReadTask *task, int elements);
+static void *createArrayObject(const redisReadTask *task, size_t elements);
static void *createIntegerObject(const redisReadTask *task, long long value);
static void *createNilObject(const redisReadTask *task);
@@ -131,7 +131,7 @@ static void *createStringObject(const redisReadTask *task, char *str, size_t len
return r;
}
-static void *createArrayObject(const redisReadTask *task, int elements) {
+static void *createArrayObject(const redisReadTask *task, size_t elements) {
redisReply *r, *parent;
r = createReplyObject(REDIS_REPLY_ARRAY);
@@ -139,6 +139,7 @@ static void *createArrayObject(const redisReadTask *task, int elements) {
return NULL;
if (elements > 0) {
+ if (SIZE_MAX / sizeof(redisReply*) < elements) return NULL; /* Don't overflow */
r->element = calloc(elements,sizeof(redisReply*));
if (r->element == NULL) {
freeReplyObject(r);
distrib
>
Mageia
>
9
>
armv7hl
>
media
>
core-release-src
>
by-pkgid
>
d49cb14b0f519b0623f400aa015d4e8d
>
files
>
2
