File CVE-2025-46817.patch of Package redis.41031
From 229af5a62d4d24dd76486855197c3d08c13fe4d4 Mon Sep 17 00:00:00 2001
From: Ozan Tezcan <ozantezcan@gmail.com>
Date: Mon, 23 Jun 2025 13:33:00 +0300
Subject: [PATCH] Lua script may lead to integer overflow and potential RCE
(CVE-2025-46817)
---
deps/lua/src/lbaselib.c | 7 ++++---
deps/lua/src/ltable.c | 3 +--
tests/unit/scripting.tcl | 39 +++++++++++++++++++++++++++++++++++++++
3 files changed, 44 insertions(+), 5 deletions(-)
diff --git a/deps/lua/src/lbaselib.c b/deps/lua/src/lbaselib.c
index 2ab550bd48d..26172d15b40 100644
--- a/deps/lua/src/lbaselib.c
+++ b/deps/lua/src/lbaselib.c
@@ -340,13 +340,14 @@ static int luaB_assert (lua_State *L) {
static int luaB_unpack (lua_State *L) {
- int i, e, n;
+ int i, e;
+ unsigned int n;
luaL_checktype(L, 1, LUA_TTABLE);
i = luaL_optint(L, 2, 1);
e = luaL_opt(L, luaL_checkint, 3, luaL_getn(L, 1));
if (i > e) return 0; /* empty range */
- n = e - i + 1; /* number of elements */
- if (n <= 0 || !lua_checkstack(L, n)) /* n <= 0 means arith. overflow */
+ n = (unsigned int)e - (unsigned int)i; /* number of elements minus 1 */
+ if (n >= INT_MAX || !lua_checkstack(L, ++n))
return luaL_error(L, "too many results to unpack");
lua_rawgeti(L, 1, i); /* push arg[i] (avoiding overflow problems) */
while (i++ < e) /* push arg[i + 1...e] */
diff --git a/deps/lua/src/ltable.c b/deps/lua/src/ltable.c
index f75fe19fe39..55575a8ace9 100644
--- a/deps/lua/src/ltable.c
+++ b/deps/lua/src/ltable.c
@@ -434,8 +434,7 @@ static TValue *newkey (lua_State *L, Table *t, const TValue *key) {
** search function for integers
*/
const TValue *luaH_getnum (Table *t, int key) {
- /* (1 <= key && key <= t->sizearray) */
- if (cast(unsigned int, key-1) < cast(unsigned int, t->sizearray))
+ if (1 <= key && key <= t->sizearray)
return &t->array[key-1];
else {
lua_Number nk = cast_num(key);
diff --git a/tests/unit/scripting.tcl b/tests/unit/scripting.tcl
index be50c00d216..01427ee25bc 100644
--- a/tests/unit/scripting.tcl
+++ b/tests/unit/scripting.tcl
@@ -242,6 +242,45 @@ start_server {tags {"scripting"}} {
set e
} {*against a key*}
+ test {EVAL - Test table unpack with invalid indexes} {
+ catch {r eval { return {unpack({1,2,3}, -2, 2147483647)} } 0} e
+ assert_match {*too many results to unpack*} $e
+ catch {r eval { return {unpack({1,2,3}, 0, 2147483647)} } 0} e
+ assert_match {*too many results to unpack*} $e
+ catch {r eval { return {unpack({1,2,3}, -2147483648, -2)} } 0} e
+ assert_match {*too many results to unpack*} $e
+ set res [r eval { return {unpack({1,2,3}, -1, -2)} } 0]
+ assert_match {} $res
+ set res [r eval { return {unpack({1,2,3}, 1, -1)} } 0]
+ assert_match {} $res
+
+ # unpack with range -1 to 5, verify nil indexes
+ set res [r eval {
+ local function unpack_to_list(t, i, j)
+ local n, v = select('#', unpack(t, i, j)), {unpack(t, i, j)}
+ for i = 1, n do v[i] = v[i] or '_NIL_' end
+ v.n = n
+ return v
+ end
+
+ return unpack_to_list({1,2,3}, -1, 5)
+ } 0]
+ assert_match {_NIL_ _NIL_ 1 2 3 _NIL_ _NIL_} $res
+
+ # unpack with negative range, verify nil indexes
+ set res [r eval {
+ local function unpack_to_list(t, i, j)
+ local n, v = select('#', unpack(t, i, j)), {unpack(t, i, j)}
+ for i = 1, n do v[i] = v[i] or '_NIL_' end
+ v.n = n
+ return v
+ end
+
+ return unpack_to_list({1,2,3}, -2147483648, -2147483646)
+ } 0]
+ assert_match {_NIL_ _NIL_ _NIL_} $res
+ } {}
+
test {EVAL - JSON numeric decoding} {
# We must return the table as a string because otherwise
# Redis converts floats to ints and we get 0 and 1023 instead