28 lines
1.1 KiB
Diff
28 lines
1.1 KiB
Diff
From 394614a5f91d88380f480c4610926a865b5b0f16 Mon Sep 17 00:00:00 2001
|
|
From: Oran Agra <oran@redislabs.com>
|
|
Date: Mon, 3 May 2021 08:32:31 +0300
|
|
Subject: [PATCH] Fix integer overflow in STRALGO LCS (CVE-2021-29477)
|
|
|
|
An integer overflow bug in Redis version 6.0 or newer could be exploited using
|
|
the STRALGO LCS command to corrupt the heap and potentially result with remote
|
|
code execution.
|
|
|
|
(cherry picked from commit f0c5f920d0f88bd8aa376a2c05af4902789d1ef9)
|
|
---
|
|
src/t_string.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/src/t_string.c b/src/t_string.c
|
|
index 4886f7e44388..5310a297db16 100644
|
|
--- a/src/t_string.c
|
|
+++ b/src/t_string.c
|
|
@@ -576,7 +576,7 @@ void stralgoLCS(client *c) {
|
|
/* Setup an uint32_t array to store at LCS[i,j] the length of the
|
|
* LCS A0..i-1, B0..j-1. Note that we have a linear array here, so
|
|
* we index it as LCS[j+(blen+1)*j] */
|
|
- uint32_t *lcs = zmalloc((alen+1)*(blen+1)*sizeof(uint32_t));
|
|
+ uint32_t *lcs = zmalloc((size_t)(alen+1)*(blen+1)*sizeof(uint32_t));
|
|
#define LCS(A,B) lcs[(B)+((A)*(blen+1))]
|
|
|
|
/* Start building the LCS table. */
|