Backported for 5.0.3

From 48f04a82a0ac542341fb644a4cfbebadd5c59a33 Mon Sep 17 00:00:00 2001

From: Yossi Gottlieb <yossigo@gmail.com>

Date: Mon, 22 Feb 2021 15:41:32 +0200

Subject: [PATCH] Fix integer overflow (CVE-2021-21309). (#8522)

On 32-bit systems, setting the proto-max-bulk-len config parameter to a high value may result with integer overflow and a subsequent heap overflow when parsing an input bulk (CVE-2021-21309).

This fix has two parts:

Set a reasonable limit to the config parameter.

Add additional checks to prevent the problem in other potential but unknown code paths.

(cherry picked from commit d32f2e9999ce003bad0bd2c3bca29f64dcce4433)

Fix MSVR reported issue.

---

 src/config.c  | 16 ++++++++--------

 src/sds.c     |  3 +++

 src/zmalloc.c | 10 ++++++++++

 3 files changed, 21 insertions(+), 8 deletions(-)

diff --git a/src/sds.c b/src/sds.c

index cd60946bdd32..12c9da356d9b 100644

--- a/src/sds.c

+++ b/src/sds.c

@@ -96,6 +96,7 @@ sds sdsnewlen(const void *init, size_t initlen) {

     int hdrlen = sdsHdrSize(type);

     unsigned char *fp; /* flags pointer. */

+    assert(hdrlen+initlen+1 > initlen); /* Catch size_t overflow */

     sh = s_malloc(hdrlen+initlen+1);

     if (init==SDS_NOINIT)

         init = NULL;

@@ -214,6 +215,7 @@ sds sdsMakeRoomFor(sds s, size_t addlen) {

     len = sdslen(s);

     sh = (char*)s-sdsHdrSize(oldtype);

     newlen = (len+addlen);

+    assert(newlen > len);   /* Catch size_t overflow */

     if (newlen < SDS_MAX_PREALLOC)

         newlen *= 2;

     else

@@ -227,6 +229,7 @@ sds sdsMakeRoomFor(sds s, size_t addlen) {

     if (type == SDS_TYPE_5) type = SDS_TYPE_8;

     hdrlen = sdsHdrSize(type);

+    assert(hdrlen+newlen+1 > len);  /* Catch size_t overflow */

     if (oldtype==type) {

         newsh = s_realloc(sh, hdrlen+newlen+1);

         if (newsh == NULL) return NULL;

From 2b0ac7427ba5a6e1bc89380e960b138af893bbdd Mon Sep 17 00:00:00 2001

From: YiyuanGUO <yguoaz@gmail.com>

Date: Wed, 29 Sep 2021 10:20:35 +0300

Subject: [PATCH] Fix integer overflow in _sdsMakeRoomFor (CVE-2021-41099)

---

 src/sds.c | 6 +++---

 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/sds.c b/src/sds.c

index 12c9da356d9b..73d9807ae3c0 100644

--- a/src/sds.c

+++ b/src/sds.c

@@ -205,7 +205,7 @@ void sdsclear(sds s) {

 sds sdsMakeRoomFor(sds s, size_t addlen) {

     void *sh, *newsh;

     size_t avail = sdsavail(s);

-    size_t len, newlen;

+    size_t len, newlen, reqlen;

     char type, oldtype = s[-1] & SDS_TYPE_MASK;

     int hdrlen;

@@ -214,7 +214,7 @@ sds sdsMakeRoomFor(sds s, size_t addlen) {

     len = sdslen(s);

     sh = (char*)s-sdsHdrSize(oldtype);

-    newlen = (len+addlen);

+    reqlen = newlen = (len+addlen);

     assert(newlen > len);   /* Catch size_t overflow */

     if (newlen < SDS_MAX_PREALLOC)

         newlen *= 2;

@@ -229,7 +229,7 @@ sds sdsMakeRoomFor(sds s, size_t addlen) {

     if (type == SDS_TYPE_5) type = SDS_TYPE_8;

     hdrlen = sdsHdrSize(type);

-    assert(hdrlen+newlen+1 > len);  /* Catch size_t overflow */

+    assert(hdrlen + newlen + 1 > reqlen);  /* Catch size_t overflow */

     if (oldtype==type) {

         newsh = s_realloc(sh, hdrlen+newlen+1);

         if (newsh == NULL) return NULL;