From 7da1992629dd2ffcdf56e8119cf1dae3ea406a80 Mon Sep 17 00:00:00 2001
From: Matt Stancliff <matt@genges.com>
Date: Sat, 28 Jun 2014 22:20:44 -0400
Subject: [PATCH] scripting: no eval with negative key count

Negative key count causes segfault in Lua functions.

Fixes #1842
Closes #1843
---
 src/scripting.c          | 3 +++
 tests/unit/scripting.tcl | 5 +++++
 2 files changed, 8 insertions(+)

diff --git a/src/scripting.c b/src/scripting.c
index ef00eede63e2..0a511e9817ad 100644
--- a/src/scripting.c
+++ b/src/scripting.c
@@ -910,6 +910,9 @@ void evalGenericCommand(redisClient *c, int evalsha) {
     if (numkeys > (c->argc - 3)) {
         addReplyError(c,"Number of keys can't be greater than number of args");
         return;
+    } else if (numkeys < 0) {
+        addReplyError(c,"Number of keys can't be negative");
+        return;
     }
 
     /* We obtain the script SHA1, then check if this function is already
diff --git a/tests/unit/scripting.tcl b/tests/unit/scripting.tcl
index 4190a0a49f46..d0c6f5d7a4b7 100644
--- a/tests/unit/scripting.tcl
+++ b/tests/unit/scripting.tcl
@@ -358,6 +358,11 @@ start_server {tags {"scripting"}} {
             return redis.call("get", "key")
         } 0
     } {12039611435714932082}
+
+    test {Verify negative arg count is error instead of crash (issue #1842)} {
+        catch { r eval { return "hello" } -12 } e
+        set e
+    } {ERR Number of keys can't be negative}
 }
 
 # Start a new server since the last test in this stanza will kill the