Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 3645755

Browse files
yatsukhnenkoyatsukhnenko
committed
Fix NULL-pointer dereferences and handle possible UB
1 parent b928505 commit 3645755

2 files changed

Lines changed: 43 additions & 29 deletions

File tree

library.c

Lines changed: 16 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1278,26 +1278,35 @@ redis_zrandmember_response(INTERNAL_FUNCTION_PARAMETERS, RedisSock *redis_sock,
12781278
return redis_string_response(INTERNAL_FUNCTION_PARAM_PASSTHRU, redis_sock, z_tab, NULL);
12791279
} else if (ctx == PHPREDIS_CTX_PTR) {
12801280
return redis_mbulk_reply_raw(INTERNAL_FUNCTION_PARAM_PASSTHRU, redis_sock, z_tab, NULL);
1281+
} else if (ctx == PHPREDIS_CTX_PTR + 1) {
1282+
return redis_mbulk_reply_zipped_keys_dbl(INTERNAL_FUNCTION_PARAM_PASSTHRU, redis_sock, z_tab, NULL);
1283+
} else {
1284+
ZEND_ASSERT(!"memory corruption?");
12811285
}
1282-
return redis_mbulk_reply_zipped_keys_dbl(INTERNAL_FUNCTION_PARAM_PASSTHRU, redis_sock, z_tab, NULL);
12831286
}
12841287

12851288
PHP_REDIS_API int
12861289
redis_zdiff_response(INTERNAL_FUNCTION_PARAMETERS, RedisSock *redis_sock, zval *z_tab, void *ctx)
12871290
{
12881291
if (ctx == NULL) {
12891292
return redis_mbulk_reply_raw(INTERNAL_FUNCTION_PARAM_PASSTHRU, redis_sock, z_tab, NULL);
1293+
} else if (ctx == PHPREDIS_CTX_PTR) {
1294+
return redis_mbulk_reply_zipped_keys_dbl(INTERNAL_FUNCTION_PARAM_PASSTHRU, redis_sock, z_tab, NULL);
1295+
} else {
1296+
ZEND_ASSERT(!"memory corruption?");
12901297
}
1291-
return redis_mbulk_reply_zipped_keys_dbl(INTERNAL_FUNCTION_PARAM_PASSTHRU, redis_sock, z_tab, NULL);
12921298
}
12931299

12941300
PHP_REDIS_API int
12951301
redis_set_response(INTERNAL_FUNCTION_PARAMETERS, RedisSock *redis_sock, zval *z_tab, void *ctx)
12961302
{
12971303
if (ctx == NULL) {
12981304
return redis_boolean_response(INTERNAL_FUNCTION_PARAM_PASSTHRU, redis_sock, z_tab, NULL);
1305+
} else if (ctx == PHPREDIS_CTX_PTR) {
1306+
return redis_string_response(INTERNAL_FUNCTION_PARAM_PASSTHRU, redis_sock, z_tab, NULL);
1307+
} else {
1308+
ZEND_ASSERT(!"memory corruption?");
12991309
}
1300-
return redis_string_response(INTERNAL_FUNCTION_PARAM_PASSTHRU, redis_sock, z_tab, NULL);
13011310
}
13021311

13031312
PHP_REDIS_API int
@@ -1307,8 +1316,11 @@ redis_hrandfield_response(INTERNAL_FUNCTION_PARAMETERS, RedisSock *redis_sock, z
13071316
return redis_string_response(INTERNAL_FUNCTION_PARAM_PASSTHRU, redis_sock, z_tab, NULL);
13081317
} else if (ctx == PHPREDIS_CTX_PTR) {
13091318
return redis_mbulk_reply_raw(INTERNAL_FUNCTION_PARAM_PASSTHRU, redis_sock, z_tab, NULL);
1319+
} else if (ctx == PHPREDIS_CTX_PTR + 1) {
1320+
return redis_mbulk_reply_zipped_raw(INTERNAL_FUNCTION_PARAM_PASSTHRU, redis_sock, z_tab, NULL);
1321+
} else {
1322+
ZEND_ASSERT(!"memory corruption?");
13101323
}
1311-
return redis_mbulk_reply_zipped_raw(INTERNAL_FUNCTION_PARAM_PASSTHRU, redis_sock, z_tab, NULL);
13121324
}
13131325

13141326
PHP_REDIS_API int

redis_commands.c

Lines changed: 27 additions & 25 deletions
Original file line numberDiff line numberDiff line change
@@ -649,21 +649,23 @@ redis_zrandmember_cmd(INTERNAL_FUNCTION_PARAMETERS, RedisSock *redis_sock,
649649
smart_string cmdstr = {0};
650650
zend_bool withscores = 0;
651651
zval *z_opts = NULL, *z_ele;
652+
zend_string *zkey;
652653

653654
if (zend_parse_parameters(ZEND_NUM_ARGS(), "s|a",
654655
&key, &key_len, &z_opts) == FAILURE)
655656
{
656657
return FAILURE;
657658
}
658659

659-
if (z_opts && Z_TYPE_P(z_opts) == IS_ARRAY) {
660-
zend_string *zkey;
660+
if (z_opts != NULL) {
661661
ZEND_HASH_FOREACH_STR_KEY_VAL(Z_ARRVAL_P(z_opts), zkey, z_ele) {
662-
ZVAL_DEREF(z_ele);
663-
if (zend_string_equals_literal_ci(zkey, "count")) {
664-
count = zval_get_long(z_ele);
665-
} else if (zend_string_equals_literal_ci(zkey, "withscores")) {
666-
withscores = zval_is_true(z_ele);
662+
if (zkey != NULL) {
663+
ZVAL_DEREF(z_ele);
664+
if (zend_string_equals_literal_ci(zkey, "count")) {
665+
count = zval_get_long(z_ele);
666+
} else if (zend_string_equals_literal_ci(zkey, "withscores")) {
667+
withscores = zval_is_true(z_ele);
668+
}
667669
}
668670
} ZEND_HASH_FOREACH_END();
669671
}
@@ -695,6 +697,7 @@ redis_zdiff_cmd(INTERNAL_FUNCTION_PARAMETERS, RedisSock *redis_sock,
695697
smart_string cmdstr = {0};
696698
zval *z_keys, *z_opts = NULL, *z_ele;
697699
zend_bool withscores = 0;
700+
zend_string *zkey;
698701

699702
if (zend_parse_parameters(ZEND_NUM_ARGS(), "a|a",
700703
&z_keys, &z_opts) == FAILURE)
@@ -706,8 +709,7 @@ redis_zdiff_cmd(INTERNAL_FUNCTION_PARAMETERS, RedisSock *redis_sock,
706709
return FAILURE;
707710
}
708711

709-
if (z_opts && Z_TYPE_P(z_opts) == IS_ARRAY) {
710-
zend_string *zkey;
712+
if (z_opts != NULL) {
711713
ZEND_HASH_FOREACH_STR_KEY_VAL(Z_ARRVAL_P(z_opts), zkey, z_ele) {
712714
if (zkey != NULL) {
713715
ZVAL_DEREF(z_ele);
@@ -780,7 +782,7 @@ redis_zinterunion_cmd(INTERNAL_FUNCTION_PARAMETERS, RedisSock *redis_sock,
780782
int numkeys;
781783
smart_string cmdstr = {0};
782784
zval *z_keys, *z_weights = NULL, *z_opts = NULL, *z_ele;
783-
zend_string *aggregate = NULL;
785+
zend_string *aggregate = NULL, *zkey;
784786
zend_bool withscores = 0;
785787

786788
if (zend_parse_parameters(ZEND_NUM_ARGS(), "a|a!a",
@@ -801,8 +803,7 @@ redis_zinterunion_cmd(INTERNAL_FUNCTION_PARAMETERS, RedisSock *redis_sock,
801803
}
802804
}
803805

804-
if (z_opts && Z_TYPE_P(z_opts) == IS_ARRAY) {
805-
zend_string *zkey;
806+
if (z_opts != NULL) {
806807
ZEND_HASH_FOREACH_STR_KEY_VAL(Z_ARRVAL_P(z_opts), zkey, z_ele) {
807808
if (zkey != NULL) {
808809
ZVAL_DEREF(z_ele);
@@ -2558,21 +2559,23 @@ redis_hrandfield_cmd(INTERNAL_FUNCTION_PARAMETERS, RedisSock *redis_sock,
25582559
smart_string cmdstr = {0};
25592560
zend_bool withvalues = 0;
25602561
zval *z_opts = NULL, *z_ele;
2562+
zend_string *zkey;
25612563

25622564
if (zend_parse_parameters(ZEND_NUM_ARGS(), "s|a",
25632565
&key, &key_len, &z_opts) == FAILURE)
25642566
{
25652567
return FAILURE;
25662568
}
25672569

2568-
if (z_opts && Z_TYPE_P(z_opts) == IS_ARRAY) {
2569-
zend_string *zkey;
2570+
if (z_opts != NULL) {
25702571
ZEND_HASH_FOREACH_STR_KEY_VAL(Z_ARRVAL_P(z_opts), zkey, z_ele) {
2571-
ZVAL_DEREF(z_ele);
2572-
if (zend_string_equals_literal_ci(zkey, "count")) {
2573-
count = zval_get_long(z_ele);
2574-
} else if (zend_string_equals_literal_ci(zkey, "withvalues")) {
2575-
withvalues = zval_is_true(z_ele);
2572+
if (zkey != NULL) {
2573+
ZVAL_DEREF(z_ele);
2574+
if (zend_string_equals_literal_ci(zkey, "count")) {
2575+
count = zval_get_long(z_ele);
2576+
} else if (zend_string_equals_literal_ci(zkey, "withvalues")) {
2577+
withvalues = zval_is_true(z_ele);
2578+
}
25762579
}
25772580
} ZEND_HASH_FOREACH_END();
25782581
}
@@ -3379,7 +3382,7 @@ redis_geosearch_cmd(INTERNAL_FUNCTION_PARAMETERS, RedisSock *redis_sock,
33793382
}
33803383

33813384
/* Attempt to parse our options array */
3382-
if (opts != NULL && Z_TYPE_P(opts) == IS_ARRAY) {
3385+
if (opts != NULL) {
33833386
ZEND_HASH_FOREACH_STR_KEY_VAL(Z_ARRVAL_P(opts), zkey, z_ele) {
33843387
ZVAL_DEREF(z_ele);
33853388
if (zkey != NULL) {
@@ -3502,7 +3505,7 @@ redis_geosearchstore_cmd(INTERNAL_FUNCTION_PARAMETERS, RedisSock *redis_sock,
35023505
}
35033506

35043507
/* Attempt to parse our options array */
3505-
if (opts != NULL && Z_TYPE_P(opts) == IS_ARRAY) {
3508+
if (opts != NULL) {
35063509
ZEND_HASH_FOREACH_STR_KEY_VAL(Z_ARRVAL_P(opts), zkey, z_ele) {
35073510
ZVAL_DEREF(z_ele);
35083511
if (zkey != NULL) {
@@ -3824,17 +3827,16 @@ redis_copy_cmd(INTERNAL_FUNCTION_PARAMETERS, RedisSock *redis_sock,
38243827
size_t src_len, dst_len;
38253828
zend_long db = -1;
38263829
zend_bool replace = 0;
3827-
zval *opts = NULL;
3830+
zval *opts = NULL, *z_ele;
3831+
zend_string *zkey;
38283832

38293833
if (zend_parse_parameters(ZEND_NUM_ARGS(), "ss|a",
38303834
&src, &src_len, &dst, &dst_len, &opts) == FAILURE)
38313835
{
38323836
return FAILURE;
38333837
}
38343838

3835-
if (opts != NULL && Z_TYPE_P(opts) == IS_ARRAY) {
3836-
zend_string *zkey;
3837-
zval *z_ele;
3839+
if (opts != NULL) {
38383840
ZEND_HASH_FOREACH_STR_KEY_VAL(Z_ARRVAL_P(opts), zkey, z_ele) {
38393841
if (zkey != NULL) {
38403842
ZVAL_DEREF(z_ele);

0 commit comments

Comments
 (0)