From a0b27dae85ae071b60d4c5196e7d18d72fbbba2b Mon Sep 17 00:00:00 2001 From: antirez Date: Mon, 18 Jun 2018 13:51:19 +0200 Subject: [PATCH] Streams: fix xreadGetKeys() buffer overflow. The loop allocated a buffer for the right number of keys positions, then overflowed it going past the limit. Related to #4857 and cause of the memory violation seen in #5028. --- src/db.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/db.c b/src/db.c index 2219194b..83ffbcc9 100644 --- a/src/db.c +++ b/src/db.c @@ -1422,7 +1422,7 @@ int *xreadGetKeys(struct redisCommand *cmd, robj **argv, int argc, int *numkeys) there are also the IDs, one per key. */ keys = zmalloc(sizeof(int) * num); - for (i = streams_pos+1; i < argc; i++) keys[i-streams_pos-1] = i; + for (i = streams_pos+1; i < argc-num; i++) keys[i-streams_pos-1] = i; *numkeys = num; return keys; }