Overview

File CVE-2021-32765.patch of Package hiredis

From: Andreas Stieger <andreas.stieger@gmx.de>
Date: Tue, 23 Nov 2021 22:32:06 +0100
Subject: Fix for integer/buffer overflow CVE-2021-32765
References: https://bugzilla.opensuse.org/show_bug.cgi?id=1191331

https://github.com/redis/hiredis/security/advisories/GHSA-hfm9-39pp-55p2

Index: hiredis-0.13.3/hiredis.c
===================================================================
--- hiredis-0.13.3.orig/hiredis.c
+++ hiredis-0.13.3/hiredis.c
@@ -45,7 +45,7 @@
 
 static redisReply *createReplyObject(int type);
 static void *createStringObject(const redisReadTask *task, char *str, size_t len);
-static void *createArrayObject(const redisReadTask *task, int elements);
+static void *createArrayObject(const redisReadTask *task, size_t elements);
 static void *createIntegerObject(const redisReadTask *task, long long value);
 static void *createNilObject(const redisReadTask *task);
 
@@ -131,7 +131,7 @@ static void *createStringObject(const re
     return r;
 }
 
-static void *createArrayObject(const redisReadTask *task, int elements) {
+static void *createArrayObject(const redisReadTask *task, size_t elements) {
     redisReply *r, *parent;
 
     r = createReplyObject(REDIS_REPLY_ARRAY);
@@ -139,6 +139,7 @@ static void *createArrayObject(const red
         return NULL;
 
     if (elements > 0) {
+        if (SIZE_MAX / sizeof(redisReply*) < elements) return NULL;  /* Don't overflow */
         r->element = calloc(elements,sizeof(redisReply*));
         if (r->element == NULL) {
             freeReplyObject(r);
openSUSE Build Service is sponsored by
Places