Prevent possible integer overflow (hiredis) #6449
Closed
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Elements count in multi-bulk replies is read into a
long long
variable insideprocessAggregateItem
.In file deps/hiredis/read.c, line 423:
long long elements;
...
string2ll(p, len, &elements)
Anyway, later (line 482), its value is copied inside the
elements
member of a structredisReadTask
:cur->elements = elements;
Since the
elements
member was declared as anint
, an integer overflow could happen.Declaring the element as
size_t
is safe since even if size_t was a 32bit, there's a check at line 442 that prevents writing values bigger than it can accept.if (elements < -1 || (LLONG_MAX > SIZE_MAX && elements > SIZE_MAX)) { __redisReaderSetError(r,REDIS_ERR_PROTOCOL, "Multi-bulk length out of range"); return REDIS_ERR; }