Merge branch 'release/v1.0.1'

Merge the v1.0.1 release branch and bump the dev version to 1.0.2-dev
2021-10-04 13:35:10 -07:00 · 2021-10-04 13:35:10 -07:00 · a39824a5df
commit a39824a5df
parent 9eca1f36f4 8d1bfac464
5 changed files with 31 additions and 2 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,3 +1,13 @@
+## [1.0.1](https://github.com/redis/hiredis/tree/v1.0.1) - (2021-10-04)
+
+Announcing Hiredis v1.0.1, a security release fixing CVE-2021-32765
+
+- Fix for [CVE-2021-32765](https://github.com/redis/hiredis/security/advisories/GHSA-hfm9-39pp-55p2)
+  [commit](https://github.com/redis/hiredis/commit/76a7b10005c70babee357a7d0f2becf28ec7ed1e)
+  ([Yossi Gottlieb](https://github.com/yossigo))
+
+_Thanks to [Yossi Gottlieb](https://github.com/yossigo) for the security fix and to [Microsoft Security Vulnerability Research](https://www.microsoft.com/en-us/msrc/msvr) for finding the bug._ :sparkling_heart:
+
 ## [1.0.0](https://github.com/redis/hiredis/tree/v1.0.0) - (2020-08-03)

 Announcing Hiredis v1.0.0, which adds support for RESP3, SSL connections, allocator injection, and better Windows support! :tada:
--- a/README.md
+++ b/README.md
@ -22,6 +22,10 @@ Redis version >= 1.2.0.
 The library comes with multiple APIs. There is the
 *synchronous API*, the *asynchronous API* and the *reply parsing API*.

+## Upgrading to `1.0.1`
+
+Version 1.0.1 is simply 1.0.0 with a fix for [CVE-2021-32765](https://github.com/redis/hiredis/security/advisories/GHSA-hfm9-39pp-55p2).  They are otherwise identical.
+
 ## Upgrading to `1.0.0`

 Version 1.0.0 marks the first stable release of Hiredis.
--- a/hiredis.c
+++ b/hiredis.c
@ -178,6 +178,7 @@ static void *createArrayObject(const redisReadTask *task, size_t elements) {
        return NULL;

    if (elements > 0) {
+        if (SIZE_MAX / sizeof(redisReply*) < elements) return NULL;  /* Don't overflow */
        r->element = hi_calloc(elements,sizeof(redisReply*));
        if (r->element == NULL) {
            freeReplyObject(r);
--- a/hiredis.h
+++ b/hiredis.h
@ -47,8 +47,8 @@ typedef long long ssize_t;

 #define HIREDIS_MAJOR 1
 #define HIREDIS_MINOR 0
-#define HIREDIS_PATCH 1
-#define HIREDIS_SONAME 1.0.1-dev
+#define HIREDIS_PATCH 2
+#define HIREDIS_SONAME 1.0.2-dev

 /* Connection type can be blocking or non-blocking and is set in the
 * least significant bit of the flags field in redisContext. */
--- a/test.c
+++ b/test.c
@ -499,6 +499,20 @@ static void test_reply_reader(void) {
    freeReplyObject(reply);
    redisReaderFree(reader);

+    test("Multi-bulk never overflows regardless of maxelements: ");
+    size_t bad_mbulk_len = (SIZE_MAX / sizeof(void *)) + 3;
+    char bad_mbulk_reply[100];
+    snprintf(bad_mbulk_reply, sizeof(bad_mbulk_reply), "*%llu\r\n+asdf\r\n",
+        (unsigned long long) bad_mbulk_len);
+
+    reader = redisReaderCreate();
+    reader->maxelements = 0;    /* Don't rely on default limit */
+    redisReaderFeed(reader, bad_mbulk_reply, strlen(bad_mbulk_reply));
+    ret = redisReaderGetReply(reader,&reply);
+    test_cond(ret == REDIS_ERR && strcasecmp(reader->errstr, "Out of memory") == 0);
+    freeReplyObject(reply);
+    redisReaderFree(reader);
+
 #if LLONG_MAX > SIZE_MAX
    test("Set error when array > SIZE_MAX: ");
    reader = redisReaderCreate();