Overview

File redis-CVE-2023-22458.patch of Package redis.29820

Index: redis-6.2.6/src/t_hash.c
===================================================================
--- redis-6.2.6.orig/src/t_hash.c
+++ redis-6.2.6/src/t_hash.c
@@ -1192,8 +1192,13 @@ void hrandfieldCommand(client *c) {
         if (c->argc > 4 || (c->argc == 4 && strcasecmp(c->argv[3]->ptr,"withvalues"))) {
             addReplyErrorObject(c,shared.syntaxerr);
             return;
-        } else if (c->argc == 4)
+        } else if (c->argc == 4) {
             withvalues = 1;
+            if (l < LONG_MIN/2 || l > LONG_MAX/2) {
+                addReplyError(c,"value is out of range");
+                return;
+            }
+        }
         hrandfieldWithCountCommand(c, l, withvalues);
         return;
     }
Index: redis-6.2.6/src/t_zset.c
===================================================================
--- redis-6.2.6.orig/src/t_zset.c
+++ redis-6.2.6/src/t_zset.c
@@ -4216,8 +4216,13 @@ void zrandmemberCommand(client *c) {
         if (c->argc > 4 || (c->argc == 4 && strcasecmp(c->argv[3]->ptr,"withscores"))) {
             addReplyErrorObject(c,shared.syntaxerr);
             return;
-        } else if (c->argc == 4)
+        } else if (c->argc == 4) {
             withscores = 1;
+            if (l < LONG_MIN/2 || l > LONG_MAX/2) {
+                addReplyError(c,"value is out of range");
+                return;
+            }
+        }
         zrandmemberWithCountCommand(c, l, withscores);
         return;
     }
Index: redis-6.2.6/tests/unit/type/hash.tcl
===================================================================
--- redis-6.2.6.orig/tests/unit/type/hash.tcl
+++ redis-6.2.6/tests/unit/type/hash.tcl
@@ -68,6 +68,11 @@ start_server {tags {"hash"}} {
         r hrandfield myhash 0
     } {}
 
+    test "HRANDFIELD count overflow" {
+        r hmset myhash a 1
+        assert_error {*value is out of range*} {r hrandfield myhash -9223372036854770000 withvalues}
+    } {}
+
     test "HRANDFIELD with <count> against non existing key" {
         r hrandfield nonexisting_key 100
     } {}
Index: redis-6.2.6/tests/unit/type/zset.tcl
===================================================================
--- redis-6.2.6.orig/tests/unit/type/zset.tcl
+++ redis-6.2.6/tests/unit/type/zset.tcl
@@ -1714,6 +1714,11 @@ start_server {tags {"zset"}} {
         r zrandmember nonexisting_key 100
     } {}
 
+    test "ZRANDMEMBER count overflow" {
+        r zadd myzset 0 a
+        assert_error {*value is out of range*} {r zrandmember myzset -9223372036854770000 withscores}
+    } {}
+
     # Make sure we can distinguish between an empty array and a null response
     r readraw 1
openSUSE Build Service is sponsored by
Places