rpms / redis

Clone
Source Code
GIT

Blame SOURCES/redis-CVE-2021-26477.patch

c8-beta-stream-5 c8-beta-stream-6 c8-stream-5 c8-stream-6 c8s-stream-6 c9 c9-beta
  1.   36c597cc511d55bb651ff80968a325266c70743a
  2.   SOURCES
  3.   redis-CVE-2021-26477.patch
Blob History Raw
7f5e89 
From 394614a5f91d88380f480c4610926a865b5b0f16 Mon Sep 17 00:00:00 2001
7f5e89 
From: Oran Agra <oran@redislabs.com>
7f5e89 
Date: Mon, 3 May 2021 08:32:31 +0300
7f5e89 
Subject: [PATCH] Fix integer overflow in STRALGO LCS (CVE-2021-29477)
7f5e89
7f5e89 
An integer overflow bug in Redis version 6.0 or newer could be exploited using
7f5e89 
the STRALGO LCS command to corrupt the heap and potentially result with remote
7f5e89 
code execution.
7f5e89
7f5e89 
(cherry picked from commit f0c5f920d0f88bd8aa376a2c05af4902789d1ef9)
7f5e89 
---
7f5e89 
 src/t_string.c | 2 +-
7f5e89 
 1 file changed, 1 insertion(+), 1 deletion(-)
7f5e89
7f5e89 
diff --git a/src/t_string.c b/src/t_string.c
7f5e89 
index 4886f7e44388..5310a297db16 100644
7f5e89 
--- a/src/t_string.c
7f5e89 
+++ b/src/t_string.c
7f5e89 
@@ -576,7 +576,7 @@ void stralgoLCS(client *c) {
7f5e89 
     /* Setup an uint32_t array to store at LCS[i,j] the length of the
7f5e89 
      * LCS A0..i-1, B0..j-1. Note that we have a linear array here, so
7f5e89 
      * we index it as LCS[j+(blen+1)*j] */
7f5e89 
-    uint32_t *lcs = zmalloc((alen+1)*(blen+1)*sizeof(uint32_t));
7f5e89 
+    uint32_t *lcs = zmalloc((size_t)(alen+1)*(blen+1)*sizeof(uint32_t));
7f5e89 
     #define LCS(A,B) lcs[(B)+((A)*(blen+1))]
7f5e89
7f5e89 
     /* Start building the LCS table. */

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation