Fix integer overflow in _sdsMakeRoomFor (CVE-2021-41099) (#9558)

The existing overflow checks handled the greedy growing, but didn't handle a case where the addition of the header size is what causes the overflow.
redis · Oct 4, 2021 · 24cc0b9 · 24cc0b9
1 parent 5becb7c
commit 24cc0b9
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/src/sds.c b/src/sds.c
@@ -239,7 +239,7 @@ void sdsclear(sds s) {
 sds _sdsMakeRoomFor(sds s, size_t addlen, int greedy) {
     void *sh, *newsh;
     size_t avail = sdsavail(s);
-    size_t len, newlen;
+    size_t len, newlen, reqlen;
     char type, oldtype = s[-1] & SDS_TYPE_MASK;
     int hdrlen;
     size_t usable;
@@ -249,7 +249,7 @@ sds _sdsMakeRoomFor(sds s, size_t addlen, int greedy) {
 
     len = sdslen(s);
     sh = (char*)s-sdsHdrSize(oldtype);
-    newlen = (len+addlen);
+    reqlen = newlen = (len+addlen);
     assert(newlen > len);   /* Catch size_t overflow */
     if (greedy == 1) {
         if (newlen < SDS_MAX_PREALLOC)
@@ -266,7 +266,7 @@ sds _sdsMakeRoomFor(sds s, size_t addlen, int greedy) {
     if (type == SDS_TYPE_5) type = SDS_TYPE_8;
 
     hdrlen = sdsHdrSize(type);
-    assert(hdrlen + newlen + 1 > len);  /* Catch size_t overflow */
+    assert(hdrlen + newlen + 1 > reqlen);  /* Catch size_t overflow */
     if (oldtype==type) {
         newsh = s_realloc_usable(sh, hdrlen+newlen+1, &usable);
         if (newsh == NULL) return NULL;