summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlex Smith <aes7mv@virginia.edu>2020-10-16 18:57:56 -0400
committermichael-grunder <michael.grunder@gmail.com>2021-02-25 21:25:17 -0800
commitbd7488d27d235a35a16519446173bef99fd4f200 (patch)
treec48a107c0738b9e2c0290f7481b08f78ba289acd
parent5f9242a1f8d99bf9b7864e8ecdce443fe821ab40 (diff)
read: Validate line items prior to checking for object creation callbacks
-rw-r--r--read.c63
1 files changed, 33 insertions, 30 deletions
diff --git a/read.c b/read.c
index 9759dbc..24c2b58 100644
--- a/read.c
+++ b/read.c
@@ -267,47 +267,50 @@ static int processLineItem(redisReader *r) {
if ((p = readLine(r,&len)) != NULL) {
if (cur->type == REDIS_REPLY_INTEGER) {
+ long long v;
+
+ if (string2ll(p, len, &v) == REDIS_ERR) {
+ __redisReaderSetError(r,REDIS_ERR_PROTOCOL,
+ "Bad integer value");
+ return REDIS_ERR;
+ }
+
if (r->fn && r->fn->createInteger) {
- long long v;
- if (string2ll(p, len, &v) == REDIS_ERR) {
- __redisReaderSetError(r,REDIS_ERR_PROTOCOL,
- "Bad integer value");
- return REDIS_ERR;
- }
obj = r->fn->createInteger(cur,v);
} else {
obj = (void*)REDIS_REPLY_INTEGER;
}
} else if (cur->type == REDIS_REPLY_DOUBLE) {
- if (r->fn && r->fn->createDouble) {
- char buf[326], *eptr;
- double d;
+ char buf[326], *eptr;
+ double d;
- if ((size_t)len >= sizeof(buf)) {
+ if ((size_t)len >= sizeof(buf)) {
+ __redisReaderSetError(r,REDIS_ERR_PROTOCOL,
+ "Double value is too large");
+ return REDIS_ERR;
+ }
+
+ memcpy(buf,p,len);
+ buf[len] = '\0';
+
+ if (len == 3 && strcasecmp(buf,"inf") == 0) {
+ d = INFINITY; /* Positive infinite. */
+ } else if (len == 4 && strcasecmp(buf,"-inf") == 0) {
+ d = -INFINITY; /* Negative infinite. */
+ } else {
+ d = strtod((char*)buf,&eptr);
+ /* RESP3 only allows "inf", "-inf", and finite values, while
+ * strtod() allows other variations on infinity, NaN,
+ * etc. We explicity handle our two allowed infinite cases
+ * above, so strtod() should only result in finite values. */
+ if (buf[0] == '\0' || eptr != &buf[len] || !isfinite(d)) {
__redisReaderSetError(r,REDIS_ERR_PROTOCOL,
- "Double value is too large");
+ "Bad double value");
return REDIS_ERR;
}
+ }
- memcpy(buf,p,len);
- buf[len] = '\0';
-
- if (len == 3 && strcasecmp(buf,"inf") == 0) {
- d = INFINITY; /* Positive infinite. */
- } else if (len == 4 && strcasecmp(buf,"-inf") == 0) {
- d = -INFINITY; /* Negative infinite. */
- } else {
- d = strtod((char*)buf,&eptr);
- /* RESP3 only allows "inf", "-inf", and finite values, while
- * strtod() allows other variations on infinity, NaN,
- * etc. We explicity handle our two allowed infinite cases
- * above, so strtod() should only result in finite values. */
- if (buf[0] == '\0' || eptr != &buf[len] || !isfinite(d)) {
- __redisReaderSetError(r,REDIS_ERR_PROTOCOL,
- "Bad double value");
- return REDIS_ERR;
- }
- }
+ if (r->fn && r->fn->createDouble) {
obj = r->fn->createDouble(cur,d,buf,len);
} else {
obj = (void*)REDIS_REPLY_DOUBLE;