From 6540e9eeaae0e4b9a28e51680466d10c6ba3a3a1 Mon Sep 17 00:00:00 2001 From: antirez Date: Tue, 25 Mar 2014 10:30:01 +0100 Subject: [PATCH] Fix off by one bug in freeMemoryIfNeeded() eviction pool. Bug found by the continuous integration test running the Redis with valgrind: ==6245== Invalid read of size 8 ==6245== at 0x4C2DEEF: memcpy@GLIBC_2.2.5 (mc_replace_strmem.c:876) ==6245== by 0x41F9E6: freeMemoryIfNeeded (redis.c:3010) ==6245== by 0x41D2CC: processCommand (redis.c:2069) memmove() size argument was accounting for an extra element, going outside the bounds of the array. --- src/redis.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/redis.c b/src/redis.c index cbfaf7c9..9e3331f7 100644 --- a/src/redis.c +++ b/src/redis.c @@ -3040,7 +3040,7 @@ int freeMemoryIfNeeded(void) { sdsfree(pool[k].key); /* Shift all elements on its right to left. */ memmove(pool+k,pool+k+1, - sizeof(pool[0])*(REDIS_EVICTION_POOL_SIZE-k)); + sizeof(pool[0])*(REDIS_EVICTION_POOL_SIZE-k-1)); /* Clear the element on the right which is empty * since we shifted one position to the left. */ pool[REDIS_EVICTION_POOL_SIZE-1].key = NULL;