fluencelabs/redis
1
0
Fork 0
mirror of https://github.com/fluencelabs/redis synced 2025-03-18 00:20:50 +00:00
Code Issues Projects Releases Wiki Activity

Fix LUA_OBJCACHE segfault.

Browse Source 
When scanning the argument list inside of a redis.call() invocation
for pre-cached values, there was no check being done that the
argument we were on was in fact within the bounds of the cache size.

So if a redis.call() command was ever executed with more than 32
arguments (current cache size #define setting) redis-server could
segfault.
This commit is contained in:
michael-grunder 2014-05-19 13:18:13 -07:00
parent a9e62ab9fa
commit ea0e2524aa
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/scripting.c
View File

@ -237,7 +237,9 @@ int luaRedisGenericCommand(lua_State *lua, int raise_error) {
if (obj_s == NULL) break; /* Not a string. */
/* Try to use a cached object. */
if (cached_objects[j] && cached_objects_len[j] >= obj_len) {
if (j < LUA_CMD_OBJCACHE_SIZE && cached_objects[j] &&
cached_objects_len[j] >= obj_len)
{
char *s = cached_objects[j]->ptr;
struct sdshdr *sh = (void*)(s-(sizeof(struct sdshdr)));