rpms / redis

Clone
Source Code
GIT

Blame SOURCES/php-CVE-2019-10192.patch

c8-beta-stream-5 c8-beta-stream-6 c8-stream-5 c8-stream-6 c8s-stream-6 c9 c9-beta
  1.   35eea663c960c26d6621e2853db923c7c878d261
  2.   SOURCES
  3.   php-CVE-2019-10192.patch
Blob History Raw
35eea6 
From 9f13b2bd4967334b1701c6eccdf53760cb13f79e Mon Sep 17 00:00:00 2001
35eea6 
From: John Sully <john@csquare.ca>
35eea6 
Date: Thu, 14 Mar 2019 14:02:16 -0400
35eea6 
Subject: [PATCH] Fix hyperloglog corruption
35eea6
35eea6 
---
35eea6 
 src/hyperloglog.c | 6 ++++++
35eea6 
 1 file changed, 6 insertions(+)
35eea6
35eea6 
diff --git a/src/hyperloglog.c b/src/hyperloglog.c
35eea6 
index fc21ea0065d..e993bf26e1d 100644
35eea6 
--- a/src/hyperloglog.c
35eea6 
+++ b/src/hyperloglog.c
35eea6 
@@ -614,6 +614,10 @@ int hllSparseToDense(robj *o) {
35eea6 
         } else {
35eea6 
             runlen = HLL_SPARSE_VAL_LEN(p);
35eea6 
             regval = HLL_SPARSE_VAL_VALUE(p);
35eea6 
+            if ((runlen + idx) > HLL_REGISTERS) {
35eea6 
+                sdsfree(dense);
35eea6 
+                return C_ERR;
35eea6 
+            }
35eea6 
             while(runlen--) {
35eea6 
                 HLL_DENSE_SET_REGISTER(hdr->registers,idx,regval);
35eea6 
                 idx++;
35eea6 
@@ -1088,6 +1092,8 @@ int hllMerge(uint8_t *max, robj *hll) {
35eea6 
             } else {
35eea6 
                 runlen = HLL_SPARSE_VAL_LEN(p);
35eea6 
                 regval = HLL_SPARSE_VAL_VALUE(p);
35eea6 
+                if ((runlen + i) > HLL_REGISTERS)
35eea6 
+                    return C_ERR;
35eea6 
                 while(runlen--) {
35eea6 
                     if (regval > max[i]) max[i] = regval;
35eea6 
                     i++;
35eea6 
From e216ceaf0e099536fe3658a29dcb725d812364e0 Mon Sep 17 00:00:00 2001
35eea6 
From: antirez <antirez@gmail.com>
35eea6 
Date: Fri, 15 Mar 2019 17:16:06 +0100
35eea6 
Subject: [PATCH] HyperLogLog: handle wrong offset in the base case.
35eea6
35eea6 
---
35eea6 
 src/hyperloglog.c | 8 ++------
35eea6 
 1 file changed, 2 insertions(+), 6 deletions(-)
35eea6
35eea6 
diff --git a/src/hyperloglog.c b/src/hyperloglog.c
35eea6 
index 526510b43b9..1e7ce3dceb7 100644
35eea6 
--- a/src/hyperloglog.c
35eea6 
+++ b/src/hyperloglog.c
35eea6 
@@ -614,10 +614,7 @@ int hllSparseToDense(robj *o) {
35eea6 
         } else {
35eea6 
             runlen = HLL_SPARSE_VAL_LEN(p);
35eea6 
             regval = HLL_SPARSE_VAL_VALUE(p);
35eea6 
-            if ((runlen + idx) > HLL_REGISTERS) {
35eea6 
-                sdsfree(dense);
35eea6 
-                return C_ERR;
35eea6 
-            }
35eea6 
+            if ((runlen + idx) > HLL_REGISTERS) break; /* Overflow. */
35eea6 
             while(runlen--) {
35eea6 
                 HLL_DENSE_SET_REGISTER(hdr->registers,idx,regval);
35eea6 
                 idx++;
35eea6 
@@ -1097,8 +1094,7 @@ int hllMerge(uint8_t *max, robj *hll) {
35eea6 
             } else {
35eea6 
                 runlen = HLL_SPARSE_VAL_LEN(p);
35eea6 
                 regval = HLL_SPARSE_VAL_VALUE(p);
35eea6 
-                if ((runlen + i) > HLL_REGISTERS)
35eea6 
-                    return C_ERR;
35eea6 
+                if ((runlen + i) > HLL_REGISTERS) break; /* Overflow. */
35eea6 
                 while(runlen--) {
35eea6 
                     if (regval > max[i]) max[i] = regval;
35eea6 
                     i++;
35eea6 
From 4208666797b5831eefc022ae46ab5747200cd671 Mon Sep 17 00:00:00 2001
35eea6 
From: antirez <antirez@gmail.com>
35eea6 
Date: Fri, 15 Mar 2019 13:52:29 +0100
35eea6 
Subject: [PATCH] HyperLogLog: dense/sparse repr parsing fuzz test.
35eea6
35eea6 
---
35eea6 
 tests/unit/hyperloglog.tcl | 29 +++++++++++++++++++++++++++++
35eea6 
 1 file changed, 29 insertions(+)
35eea6
35eea6 
diff --git a/tests/unit/hyperloglog.tcl b/tests/unit/hyperloglog.tcl
35eea6 
index 7d36b7a351f..6a9c47b11c5 100644
35eea6 
--- a/tests/unit/hyperloglog.tcl
35eea6 
+++ b/tests/unit/hyperloglog.tcl
35eea6 
@@ -115,6 +115,35 @@ start_server {tags {"hll"}} {
35eea6 
         set e
35eea6 
     } {*WRONGTYPE*}
35eea6
35eea6 
+    test {Fuzzing dense/sparse encoding: Redis should always detect errors} {
35eea6 
+        for {set j 0} {$j < 10000} {incr j} {
35eea6 
+            r del hll
35eea6 
+            set items {}
35eea6 
+            set numitems [randomInt 3000]
35eea6 
+            for {set i 0} {$i < $numitems} {incr i} {
35eea6 
+                lappend items [expr {rand()}]
35eea6 
+            }
35eea6 
+            r pfadd hll {*}$items
35eea6 
+
35eea6 
+            # Corrupt it in some random way.
35eea6 
+            for {set i 0} {$i < 5} {incr i} {
35eea6 
+                set len [r strlen hll]
35eea6 
+                set pos [randomInt $len]
35eea6 
+                set byte [randstring 1 1 binary]
35eea6 
+                r setrange hll $pos $byte
35eea6 
+                # Don't modify more bytes 50% of times
35eea6 
+                if {rand() < 0.5} break
35eea6 
+            }
35eea6 
+
35eea6 
+            # Use the hyperloglog to check if it crashes
35eea6 
+            # Redis in some way.
35eea6 
+            catch {
35eea6 
+                r pfcount hll
35eea6 
+                r pfdebug getreg hll
35eea6 
+            }
35eea6 
+        }
35eea6 
+    }
35eea6 
+
35eea6 
     test {PFADD, PFCOUNT, PFMERGE type checking works} {
35eea6 
         r set foo bar
35eea6 
         catch {r pfadd foo 1} e

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation