From f913e9b997e2cc4b847923e1b3b0649d77c85923 Mon Sep 17 00:00:00 2001 From: Alex Smith Date: Thu, 15 Oct 2020 17:46:15 -0400 Subject: read: Fix double validation and infinity parsing The ',' protocol byte gets removed in processItem(), so it should not be compared against in processLineItem(). strtod() allows multiple representations of infinity and NaN that are not RESP3 compliant. Since we explicitly check for the two compliant infinity cases, strtod() should only return finite values. --- read.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/read.c b/read.c index 0952469..34fce2e 100644 --- a/read.c +++ b/read.c @@ -299,13 +299,17 @@ static int processLineItem(redisReader *r) { memcpy(buf,p,len); buf[len] = '\0'; - if (strcasecmp(buf,",inf") == 0) { + if (strcasecmp(buf,"inf") == 0) { d = INFINITY; /* Positive infinite. */ - } else if (strcasecmp(buf,",-inf") == 0) { + } else if (strcasecmp(buf,"-inf") == 0) { d = -INFINITY; /* Negative infinite. */ } else { d = strtod((char*)buf,&eptr); - if (buf[0] == '\0' || eptr[0] != '\0' || isnan(d)) { + /* RESP3 only allows "inf", "-inf", and finite values, while + * strtod() allows other variations on infinity, NaN, + * etc. We explicity handle our two allowed infinite cases + * above, so strtod() should only result in finite values. */ + if (buf[0] == '\0' || eptr[0] != '\0' || !isfinite(d)) { __redisReaderSetError(r,REDIS_ERR_PROTOCOL, "Bad double value"); return REDIS_ERR; -- cgit v1.2.3