hiredis
hiredis copied to clipboard
Potential fault at createDoubleObject
The potential fault occurs at the parameter len
of createDoubleObject
.
From the function prototype, we can see that len
is of size_t
type, which is known as an unsigned integer.
https://github.com/redis/hiredis/blob/b6f86f38c2bbf0caa63d489174ac3a9777b97807/hiredis.c#L221
This function attempts to allocate some space for string-typed double value dval
, and allocates one more byte for the null-terminating character for the string.
https://github.com/redis/hiredis/blob/b6f86f38c2bbf0caa63d489174ac3a9777b97807/hiredis.c#L228-L233
When len
is -1, the program allocates a space with size 0 for r->str
.
According to man 3 malloc,
If size is 0, then malloc() returns either NULL, or a unique pointer value that can later be successfully passed to free().
If hi_malloc
does not return NULL, the program will crash in the following memcpy
, which passes maximum value of unsigned integer to the size of memcpy
.
https://github.com/redis/hiredis/blob/b6f86f38c2bbf0caa63d489174ac3a9777b97807/hiredis.c#L240
Additional check to len
parameter should be included in createDoubleObject
function.
Why would you want to specify len as -1 (it is unsigned). Or do you mean to say that the largest possible len
value causes a crash? Wouldn't it simply be better to specify the behaviour as undefined if len + 1
does not fit within a size_t
?