From 109197585762986502d3a8fa628acc1b82b68cf3 Mon Sep 17 00:00:00 2001
From: Justin Brewer <jzb0012@auburn.edu>
Date: Thu, 17 May 2018 20:17:13 -0500
Subject: Fix bulk and multi-bulk length truncation

processMultiBulkItem truncates the value read from readLongLong,
resulting in a corrupted state when the next item is read.
createArray takes an int, so bound to INT_MAX.

Inspection showed that processBulkItem had the same truncation issue.
createString takes size_t, so bound to SIZE_MAX. This only has an
effect on 32-bit platforms.

A strict lower bound is also added, since negative lengths other
than -1 are invalid according to RESP.

Signed-off-by: Justin Brewer <jzb0012@auburn.edu>
---
 read.c | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

(limited to 'read.c')

diff --git a/read.c b/read.c
index c0f8489..39c21b8 100644
--- a/read.c
+++ b/read.c
@@ -264,7 +264,13 @@ static int processBulkItem(redisReader *r) {
             return REDIS_ERR;
         }
 
-        if (len < 0) {
+        if (len < -1 || (LLONG_MAX > SIZE_MAX && len > (long long)SIZE_MAX)) {
+            __redisReaderSetError(r,REDIS_ERR_PROTOCOL,
+                    "Bulk string length out of range");
+            return REDIS_ERR;
+        }
+
+        if (len == -1) {
             /* The nil object can always be created. */
             if (r->fn && r->fn->createNil)
                 obj = r->fn->createNil(cur);
@@ -325,6 +331,12 @@ static int processMultiBulkItem(redisReader *r) {
 
         root = (r->ridx == 0);
 
+        if(elements < -1 || elements > INT_MAX) {
+            __redisReaderSetError(r,REDIS_ERR_PROTOCOL,
+                    "Multi-bulk length out of range");
+            return REDIS_ERR;
+        }
+
         if (elements == -1) {
             if (r->fn && r->fn->createNil)
                 obj = r->fn->createNil(cur);
-- 
cgit v1.2.3