From: Yossi Gottlieb <yossigo@gmail.com> Date: Tue, 13 Jul 2021 15:16:14 -0700 Subject: Fix for integer/buffer overflow CVE-2021-32765 This fix prevents hiredis from trying to allocate more than `SIZE_MAX` bytes, which would result in a buffer overrun. [Full Details](https://github.com/redis/hiredis/security/advisories/GHSA-hfm9-39pp-55p2) --- hiredis.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/hiredis.c b/hiredis.c index 73d0251..a23e980 100644 --- a/hiredis.c +++ b/hiredis.c @@ -45,7 +45,7 @@ static redisReply *createReplyObject(int type); static void *createStringObject(const redisReadTask *task, char *str, size_t len); -static void *createArrayObject(const redisReadTask *task, int elements); +static void *createArrayObject(const redisReadTask *task, size_t elements); static void *createIntegerObject(const redisReadTask *task, long long value); static void *createNilObject(const redisReadTask *task); @@ -131,7 +131,7 @@ static void *createStringObject(const redisReadTask *task, char *str, size_t len return r; } -static void *createArrayObject(const redisReadTask *task, int elements) { +static void *createArrayObject(const redisReadTask *task, size_t elements) { redisReply *r, *parent; r = createReplyObject(REDIS_REPLY_ARRAY); @@ -139,6 +139,7 @@ static void *createArrayObject(const redisReadTask *task, int elements) { return NULL; if (elements > 0) { + if (SIZE_MAX / sizeof(redisReply*) < elements) return NULL; /* Don't overflow */ r->element = calloc(elements,sizeof(redisReply*)); if (r->element == NULL) { freeReplyObject(r);