Fixed a theoretical non exploitable security bug reported by @chrisrohlf. In...

Fixed a theoretical non exploitable security bug reported by @chrisrohlf. In theory if we undefine SDS_ABORT_ON_OOM from sds.c AND modify zmalloc.c in order to don't quit on out of memory (but this would break every other part of Redis), on out of memory there is a possible heap overflow.

Fixed a theoretical non exploitable security bug reported by @chrisrohlf. In...
Fixed a theoretical non exploitable security bug reported by @chrisrohlf. In theory if we undefine SDS_ABORT_ON_OOM from sds.c AND modify zmalloc.c in order to don't quit on out of memory (but this would break every other part of Redis), on out of memory there is a possible heap overflow.
be86082b · antirez · cc9f0eee · be86082b
隐藏空白更改
内联并排

Showing with 5 addition and 1 deletion

src/sds.c src/sds.c +5 -1

未找到文件。
--- a/src/sds.c
+++ b/src/sds.c
@@ -305,7 +305,10 @@ sds *sdssplitlen(char *s, int len, char *sep, int seplen, int *count) {
 #ifdef SDS_ABORT_ON_OOM
    if (tokens == NULL) sdsOomAbort();
 #endif
-    if (seplen < 1 || len < 0 || tokens == NULL) return NULL;
+    if (seplen < 1 || len < 0 || tokens == NULL) {
+        *count = 0;
+        return NULL;
+    }
    if (len == 0) {
        *count = 0;
        return tokens;
@@ -360,6 +363,7 @@ cleanup:
        int i;
        for (i = 0; i < elements; i++) sdsfree(tokens[i]);
        zfree(tokens);
+        *count = 0;
        return NULL;
    }
 #endif