Skip to content

Commit c6ad876

Browse files
yiyuaneroranagra
authored andcommitted
Fix integer overflow in _sdsMakeRoomFor (CVE-2021-41099)
1 parent f6a4057 commit c6ad876

File tree

1 file changed

+3
-3
lines changed

1 file changed

+3
-3
lines changed

Diff for: src/sds.c

+3-3
Original file line numberDiff line numberDiff line change
@@ -205,7 +205,7 @@ void sdsclear(sds s) {
205205
sds sdsMakeRoomFor(sds s, size_t addlen) {
206206
void *sh, *newsh;
207207
size_t avail = sdsavail(s);
208-
size_t len, newlen;
208+
size_t len, newlen, reqlen;
209209
char type, oldtype = s[-1] & SDS_TYPE_MASK;
210210
int hdrlen;
211211

@@ -214,7 +214,7 @@ sds sdsMakeRoomFor(sds s, size_t addlen) {
214214

215215
len = sdslen(s);
216216
sh = (char*)s-sdsHdrSize(oldtype);
217-
newlen = (len+addlen);
217+
reqlen = newlen = (len+addlen);
218218
assert(newlen > len); /* Catch size_t overflow */
219219
if (newlen < SDS_MAX_PREALLOC)
220220
newlen *= 2;
@@ -229,7 +229,7 @@ sds sdsMakeRoomFor(sds s, size_t addlen) {
229229
if (type == SDS_TYPE_5) type = SDS_TYPE_8;
230230

231231
hdrlen = sdsHdrSize(type);
232-
assert(hdrlen + newlen + 1 > len); /* Catch size_t overflow */
232+
assert(hdrlen + newlen + 1 > reqlen); /* Catch size_t overflow */
233233
if (oldtype==type) {
234234
newsh = s_realloc(sh, hdrlen+newlen+1);
235235
if (newsh == NULL) return NULL;

0 commit comments

Comments
 (0)