Fixed undefined behavior in *INCR style functions overflow detection. Sorry clang!

7c96b467 · antirez · fe7be460 · 7c96b467 · 7c96b467
隐藏空白更改
内联并排

Showing with 6 addition and 4 deletion

src/t_hash.c src/t_hash.c +3 -2

src/t_string.c src/t_string.c +3 -2

未找到文件。
--- a/src/t_hash.c
+++ b/src/t_hash.c
@@ -337,11 +337,12 @@ void hincrbyCommand(redisClient *c) {
    }
    oldvalue = value;
-    value += incr;
+    if ((incr < 0 && oldvalue < 0 && incr < (LLONG_MIN-oldvalue)) ||
-    if ((incr < 0 && value > oldvalue) || (incr > 0 && value < oldvalue)) {
+        (incr > 0 && oldvalue > 0 && incr > (LLONG_MAX-oldvalue))) {
        addReplyError(c,"increment or decrement would overflow");
        return;
    }
+    value += incr;
    new = createStringObjectFromLongLong(value);
    hashTypeTryObjectEncoding(o,&c->argv[2],NULL);
    hashTypeSet(o,c->argv[2],new);

--- a/src/t_string.c
+++ b/src/t_string.c
@@ -344,11 +344,12 @@ void incrDecrCommand(redisClient *c, long long incr) {
    if (getLongLongFromObjectOrReply(c,o,&value,NULL) != REDIS_OK) return;
    oldvalue = value;
-    value += incr;
+    if ((incr < 0 && oldvalue < 0 && incr < (LLONG_MIN-oldvalue)) ||
-    if ((incr < 0 && value > oldvalue) || (incr > 0 && value < oldvalue)) {
+        (incr > 0 && oldvalue > 0 && incr > (LLONG_MAX-oldvalue))) {
        addReplyError(c,"increment or decrement would overflow");
        return;
    }
+    value += incr;
    new = createStringObjectFromLongLong(value);
    if (o)
        dbOverwrite(c->db,c->argv[1],new);