From 35eea663c960c26d6621e2853db923c7c878d261 Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Nov 15 2019 13:27:59 +0000
Subject: import redis-5.0.3-2.module+el8.0.0.z+3657+acb471dc


---

diff --git a/SOURCES/php-CVE-2019-10192.patch b/SOURCES/php-CVE-2019-10192.patch
new file mode 100644
index 0000000..82358e4
--- /dev/null
+++ b/SOURCES/php-CVE-2019-10192.patch
@@ -0,0 +1,117 @@
+From 9f13b2bd4967334b1701c6eccdf53760cb13f79e Mon Sep 17 00:00:00 2001
+From: John Sully <john@csquare.ca>
+Date: Thu, 14 Mar 2019 14:02:16 -0400
+Subject: [PATCH] Fix hyperloglog corruption
+
+---
+ src/hyperloglog.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/hyperloglog.c b/src/hyperloglog.c
+index fc21ea0065d..e993bf26e1d 100644
+--- a/src/hyperloglog.c
++++ b/src/hyperloglog.c
+@@ -614,6 +614,10 @@ int hllSparseToDense(robj *o) {
+         } else {
+             runlen = HLL_SPARSE_VAL_LEN(p);
+             regval = HLL_SPARSE_VAL_VALUE(p);
++            if ((runlen + idx) > HLL_REGISTERS) {
++                sdsfree(dense);
++                return C_ERR;
++            }
+             while(runlen--) {
+                 HLL_DENSE_SET_REGISTER(hdr->registers,idx,regval);
+                 idx++;
+@@ -1088,6 +1092,8 @@ int hllMerge(uint8_t *max, robj *hll) {
+             } else {
+                 runlen = HLL_SPARSE_VAL_LEN(p);
+                 regval = HLL_SPARSE_VAL_VALUE(p);
++                if ((runlen + i) > HLL_REGISTERS)
++                    return C_ERR;
+                 while(runlen--) {
+                     if (regval > max[i]) max[i] = regval;
+                     i++;
+From e216ceaf0e099536fe3658a29dcb725d812364e0 Mon Sep 17 00:00:00 2001
+From: antirez <antirez@gmail.com>
+Date: Fri, 15 Mar 2019 17:16:06 +0100
+Subject: [PATCH] HyperLogLog: handle wrong offset in the base case.
+
+---
+ src/hyperloglog.c | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+diff --git a/src/hyperloglog.c b/src/hyperloglog.c
+index 526510b43b9..1e7ce3dceb7 100644
+--- a/src/hyperloglog.c
++++ b/src/hyperloglog.c
+@@ -614,10 +614,7 @@ int hllSparseToDense(robj *o) {
+         } else {
+             runlen = HLL_SPARSE_VAL_LEN(p);
+             regval = HLL_SPARSE_VAL_VALUE(p);
+-            if ((runlen + idx) > HLL_REGISTERS) {
+-                sdsfree(dense);
+-                return C_ERR;
+-            }
++            if ((runlen + idx) > HLL_REGISTERS) break; /* Overflow. */
+             while(runlen--) {
+                 HLL_DENSE_SET_REGISTER(hdr->registers,idx,regval);
+                 idx++;
+@@ -1097,8 +1094,7 @@ int hllMerge(uint8_t *max, robj *hll) {
+             } else {
+                 runlen = HLL_SPARSE_VAL_LEN(p);
+                 regval = HLL_SPARSE_VAL_VALUE(p);
+-                if ((runlen + i) > HLL_REGISTERS)
+-                    return C_ERR;
++                if ((runlen + i) > HLL_REGISTERS) break; /* Overflow. */
+                 while(runlen--) {
+                     if (regval > max[i]) max[i] = regval;
+                     i++;
+From 4208666797b5831eefc022ae46ab5747200cd671 Mon Sep 17 00:00:00 2001
+From: antirez <antirez@gmail.com>
+Date: Fri, 15 Mar 2019 13:52:29 +0100
+Subject: [PATCH] HyperLogLog: dense/sparse repr parsing fuzz test.
+
+---
+ tests/unit/hyperloglog.tcl | 29 +++++++++++++++++++++++++++++
+ 1 file changed, 29 insertions(+)
+
+diff --git a/tests/unit/hyperloglog.tcl b/tests/unit/hyperloglog.tcl
+index 7d36b7a351f..6a9c47b11c5 100644
+--- a/tests/unit/hyperloglog.tcl
++++ b/tests/unit/hyperloglog.tcl
+@@ -115,6 +115,35 @@ start_server {tags {"hll"}} {
+         set e
+     } {*WRONGTYPE*}
+ 
++    test {Fuzzing dense/sparse encoding: Redis should always detect errors} {
++        for {set j 0} {$j < 10000} {incr j} {
++            r del hll
++            set items {}
++            set numitems [randomInt 3000]
++            for {set i 0} {$i < $numitems} {incr i} {
++                lappend items [expr {rand()}]
++            }
++            r pfadd hll {*}$items
++
++            # Corrupt it in some random way.
++            for {set i 0} {$i < 5} {incr i} {
++                set len [r strlen hll]
++                set pos [randomInt $len]
++                set byte [randstring 1 1 binary]
++                r setrange hll $pos $byte
++                # Don't modify more bytes 50% of times
++                if {rand() < 0.5} break
++            }
++
++            # Use the hyperloglog to check if it crashes
++            # Redis in some way.
++            catch {
++                r pfcount hll
++                r pfdebug getreg hll
++            }
++        }
++    }
++
+     test {PFADD, PFCOUNT, PFMERGE type checking works} {
+         r set foo bar
+         catch {r pfadd foo 1} e
diff --git a/SOURCES/php-CVE-2019-10193.patch b/SOURCES/php-CVE-2019-10193.patch
new file mode 100644
index 0000000..967625c
--- /dev/null
+++ b/SOURCES/php-CVE-2019-10193.patch
@@ -0,0 +1,27 @@
+From a4b90be9fcd5e1668ac941cabce3b1ab38dbe326 Mon Sep 17 00:00:00 2001
+From: antirez <antirez@gmail.com>
+Date: Fri, 15 Mar 2019 17:10:16 +0100
+Subject: [PATCH] HyperLogLog: enlarge reghisto variable for safety.
+
+---
+ src/hyperloglog.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/hyperloglog.c b/src/hyperloglog.c
+index e993bf26e1d..526510b43b9 100644
+--- a/src/hyperloglog.c
++++ b/src/hyperloglog.c
+@@ -1017,7 +1017,12 @@ uint64_t hllCount(struct hllhdr *hdr, int *invalid) {
+     double m = HLL_REGISTERS;
+     double E;
+     int j;
+-    int reghisto[HLL_Q+2] = {0};
++    /* Note that reghisto could be just HLL_Q+1, becuase this is the
++     * maximum frequency of the "000...1" sequence the hash function is
++     * able to return. However it is slow to check for sanity of the
++     * input: instead we history array at a safe size: overflows will
++     * just write data to wrong, but correctly allocated, places. */
++    int reghisto[64] = {0};
+ 
+     /* Compute register histogram */
+     if (hdr->encoding == HLL_DENSE) {
diff --git a/SPECS/redis.spec b/SPECS/redis.spec
index a0a2f07..a1e3f82 100644
--- a/SPECS/redis.spec
+++ b/SPECS/redis.spec
@@ -20,7 +20,7 @@
 
 Name:              redis
 Version:           5.0.3
-Release:           1%{?dist}
+Release:           2%{?dist}
 Summary:           A persistent key-value database
 # redis, jemalloc, linenoise, lzf, hiredis are BSD
 # lua is MIT
@@ -48,6 +48,11 @@ Source10:          https://github.com/antirez/%{name}-doc/archive/%{doc_commit}/
 Patch0001:         0001-1st-man-pageis-for-redis-cli-redis-benchmark-redis-c.patch
 # https://github.com/antirez/redis/pull/3494 - symlink
 Patch0002:         0002-install-redis-check-rdb-as-a-symlink-instead-of-dupl.patch
+
+# Security patches
+Patch100:          php-CVE-2019-10192.patch
+Patch101:          php-CVE-2019-10193.patch
+
 %if 0%{?with_tests}
 BuildRequires:     procps-ng
 BuildRequires:     tcl
@@ -124,6 +129,9 @@ mv ../%{name}-doc-%{doc_commit} doc
 %patch0001 -p1
 %patch0002 -p1
 
+%patch100 -p1 -b .cve-2019-10192
+%patch101 -p1 -b .cve-2019-10193
+
 mv deps/lua/COPYRIGHT    COPYRIGHT-lua
 mv deps/jemalloc/COPYING COPYING-jemalloc
 mv deps/hiredis/COPYING  COPYING-hiredis
@@ -268,6 +276,12 @@ exit 0
 
 
 %changelog
+* Thu Jul 11 2019 Remi Collet <rcollet@redhat.com> - 5.0.3-2
+- fix Heap buffer overflow in HyperLogLog triggered by malicious client
+  CVE-2019-10192
+- fix Stack buffer overflow in HyperLogLog triggered by malicious client
+  CVE-2019-10193
+
 * Thu Dec 13 2018 Remi Collet <rcollet@redhat.com> - 5.0.3-1
 - update to 5.0.3