diff options
Diffstat (limited to 'databases/keydb/files/patch-CVE-2025-46817')
| -rw-r--r-- | databases/keydb/files/patch-CVE-2025-46817 | 86 |
1 files changed, 86 insertions, 0 deletions
diff --git a/databases/keydb/files/patch-CVE-2025-46817 b/databases/keydb/files/patch-CVE-2025-46817 new file mode 100644 index 000000000000..56ae3ec6378b --- /dev/null +++ b/databases/keydb/files/patch-CVE-2025-46817 @@ -0,0 +1,86 @@ +diff --git a/deps/lua/src/lbaselib.c b/deps/lua/src/lbaselib.c +index 2ab550bd48d..26172d15b40 100644 +--- deps/lua/src/lbaselib.c ++++ deps/lua/src/lbaselib.c +@@ -340,13 +340,14 @@ static int luaB_assert (lua_State *L) { + + + static int luaB_unpack (lua_State *L) { +- int i, e, n; ++ int i, e; ++ unsigned int n; + luaL_checktype(L, 1, LUA_TTABLE); + i = luaL_optint(L, 2, 1); + e = luaL_opt(L, luaL_checkint, 3, luaL_getn(L, 1)); + if (i > e) return 0; /* empty range */ +- n = e - i + 1; /* number of elements */ +- if (n <= 0 || !lua_checkstack(L, n)) /* n <= 0 means arith. overflow */ ++ n = (unsigned int)e - (unsigned int)i; /* number of elements minus 1 */ ++ if (n >= INT_MAX || !lua_checkstack(L, ++n)) + return luaL_error(L, "too many results to unpack"); + lua_rawgeti(L, 1, i); /* push arg[i] (avoiding overflow problems) */ + while (i++ < e) /* push arg[i + 1...e] */ +diff --git a/deps/lua/src/ltable.c b/deps/lua/src/ltable.c +index f75fe19fe39..55575a8ace9 100644 +--- deps/lua/src/ltable.c ++++ deps/lua/src/ltable.c +@@ -434,8 +434,7 @@ static TValue *newkey (lua_State *L, Table *t, const TValue *key) { + ** search function for integers + */ + const TValue *luaH_getnum (Table *t, int key) { +- /* (1 <= key && key <= t->sizearray) */ +- if (cast(unsigned int, key-1) < cast(unsigned int, t->sizearray)) ++ if (1 <= key && key <= t->sizearray) + return &t->array[key-1]; + else { + lua_Number nk = cast_num(key); +diff --git a/tests/unit/scripting.tcl b/tests/unit/scripting.tcl +index 333cc2692de..d45c63ceec3 100644 +--- tests/unit/scripting.tcl ++++ tests/unit/scripting.tcl +@@ -315,6 +315,45 @@ start_server {tags {"scripting"}} { + set e + } {*against a key*} + ++ test {EVAL - Test table unpack with invalid indexes} { ++ catch {run_script { return {unpack({1,2,3}, -2, 2147483647)} } 0} e ++ assert_match {*too many results to unpack*} $e ++ catch {run_script { return {unpack({1,2,3}, 0, 2147483647)} } 0} e ++ assert_match {*too many results to unpack*} $e ++ catch {run_script { return {unpack({1,2,3}, -2147483648, -2)} } 0} e ++ assert_match {*too many results to unpack*} $e ++ set res [run_script { return {unpack({1,2,3}, -1, -2)} } 0] ++ assert_match {} $res ++ set res [run_script { return {unpack({1,2,3}, 1, -1)} } 0] ++ assert_match {} $res ++ ++ # unpack with range -1 to 5, verify nil indexes ++ set res [run_script { ++ local function unpack_to_list(t, i, j) ++ local n, v = select('#', unpack(t, i, j)), {unpack(t, i, j)} ++ for i = 1, n do v[i] = v[i] or '_NIL_' end ++ v.n = n ++ return v ++ end ++ ++ return unpack_to_list({1,2,3}, -1, 5) ++ } 0] ++ assert_match {_NIL_ _NIL_ 1 2 3 _NIL_ _NIL_} $res ++ ++ # unpack with negative range, verify nil indexes ++ set res [run_script { ++ local function unpack_to_list(t, i, j) ++ local n, v = select('#', unpack(t, i, j)), {unpack(t, i, j)} ++ for i = 1, n do v[i] = v[i] or '_NIL_' end ++ v.n = n ++ return v ++ end ++ ++ return unpack_to_list({1,2,3}, -2147483648, -2147483646) ++ } 0] ++ assert_match {_NIL_ _NIL_ _NIL_} $res ++ } {} ++ + test {EVAL - JSON numeric decoding} { + # We must return the table as a string because otherwise + # Redis converts floats to ints and we get 0 and 1023 instead |