From b38682199b09bb77e11d9a3d4130fd8ebf8df7df Mon Sep 17 00:00:00 2001 From: antirez Date: Tue, 12 Jun 2018 17:31:04 +0200 Subject: [PATCH] Fix rdbSaveKeyValuePair() integer overflow. Again thanks to @oranagra. The object idle time does not fit into an int sometimes: use the native type that the serialization function will get as argument, which is uint64_t. --- src/rdb.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/src/rdb.c b/src/rdb.c index 7d5fd5fc..97b2d035 100644 --- a/src/rdb.c +++ b/src/rdb.c @@ -993,8 +993,7 @@ size_t rdbSavedObjectLen(robj *o) { * On error -1 is returned. * On success if the key was actually saved 1 is returned, otherwise 0 * is returned (the key was already expired). */ -int rdbSaveKeyValuePair(rio *rdb, robj *key, robj *val, long long expiretime) -{ +int rdbSaveKeyValuePair(rio *rdb, robj *key, robj *val, long long expiretime) { int savelru = server.maxmemory_policy & MAXMEMORY_FLAG_LRU; int savelfu = server.maxmemory_policy & MAXMEMORY_FLAG_LFU; @@ -1006,7 +1005,7 @@ int rdbSaveKeyValuePair(rio *rdb, robj *key, robj *val, long long expiretime) /* Save the LRU info. */ if (savelru) { - int idletime = estimateObjectIdleTime(val); + uint64_t idletime = estimateObjectIdleTime(val); idletime /= 1000; /* Using seconds is enough and requires less space.*/ if (rdbSaveType(rdb,RDB_OPCODE_IDLE) == -1) return -1; if (rdbSaveLen(rdb,idletime) == -1) return -1;