File redis-CVE-2023-22458.patch of Package redis.29820
Index: redis-6.2.6/src/t_hash.c
===================================================================
--- redis-6.2.6.orig/src/t_hash.c
+++ redis-6.2.6/src/t_hash.c
@@ -1192,8 +1192,13 @@ void hrandfieldCommand(client *c) {
if (c->argc > 4 || (c->argc == 4 && strcasecmp(c->argv[3]->ptr,"withvalues"))) {
addReplyErrorObject(c,shared.syntaxerr);
return;
- } else if (c->argc == 4)
+ } else if (c->argc == 4) {
withvalues = 1;
+ if (l < LONG_MIN/2 || l > LONG_MAX/2) {
+ addReplyError(c,"value is out of range");
+ return;
+ }
+ }
hrandfieldWithCountCommand(c, l, withvalues);
return;
}
Index: redis-6.2.6/src/t_zset.c
===================================================================
--- redis-6.2.6.orig/src/t_zset.c
+++ redis-6.2.6/src/t_zset.c
@@ -4216,8 +4216,13 @@ void zrandmemberCommand(client *c) {
if (c->argc > 4 || (c->argc == 4 && strcasecmp(c->argv[3]->ptr,"withscores"))) {
addReplyErrorObject(c,shared.syntaxerr);
return;
- } else if (c->argc == 4)
+ } else if (c->argc == 4) {
withscores = 1;
+ if (l < LONG_MIN/2 || l > LONG_MAX/2) {
+ addReplyError(c,"value is out of range");
+ return;
+ }
+ }
zrandmemberWithCountCommand(c, l, withscores);
return;
}
Index: redis-6.2.6/tests/unit/type/hash.tcl
===================================================================
--- redis-6.2.6.orig/tests/unit/type/hash.tcl
+++ redis-6.2.6/tests/unit/type/hash.tcl
@@ -68,6 +68,11 @@ start_server {tags {"hash"}} {
r hrandfield myhash 0
} {}
+ test "HRANDFIELD count overflow" {
+ r hmset myhash a 1
+ assert_error {*value is out of range*} {r hrandfield myhash -9223372036854770000 withvalues}
+ } {}
+
test "HRANDFIELD with <count> against non existing key" {
r hrandfield nonexisting_key 100
} {}
Index: redis-6.2.6/tests/unit/type/zset.tcl
===================================================================
--- redis-6.2.6.orig/tests/unit/type/zset.tcl
+++ redis-6.2.6/tests/unit/type/zset.tcl
@@ -1714,6 +1714,11 @@ start_server {tags {"zset"}} {
r zrandmember nonexisting_key 100
} {}
+ test "ZRANDMEMBER count overflow" {
+ r zadd myzset 0 a
+ assert_error {*value is out of range*} {r zrandmember myzset -9223372036854770000 withscores}
+ } {}
+
# Make sure we can distinguish between an empty array and a null response
r readraw 1