1 files changed, 35 insertions, 0 deletions

diff --git a/CVE-2021-29478.patch b/CVE-2021-29478.patch
new file mode 100644
index 0000000..c7002c2
--- /dev/null
+++ b/CVE-2021-29478.patch
@@ -0,0 +1,35 @@
+From ef78ba0a7793a0b6be026ec77ef3c7e919efa08a Mon Sep 17 00:00:00 2001
+From: Oran Agra <oran@redislabs.com>
+Date: Mon, 3 May 2021 08:27:22 +0300
+Subject: [PATCH] Fix integer overflow in intset (CVE-2021-29478)
+
+An integer overflow bug in Redis 6.2 could be exploited to corrupt the heap and
+potentially result with remote code execution.
+
+The vulnerability involves changing the default set-max-intset-entries
+configuration value, creating a large set key that consists of integer values
+and using the COPY command to duplicate it.
+
+The integer overflow bug exists in all versions of Redis starting with 2.6,
+where it could result with a corrupted RDB or DUMP payload, but not exploited
+through COPY (which did not exist before 6.2).
+---
+ src/intset.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/intset.c b/src/intset.c
+index 198c90a..8d35536 100644
+--- a/src/intset.c
++++ b/src/intset.c
+@@ -278,7 +278,7 @@ uint32_t intsetLen(const intset *is) {
+ 
+ /* Return intset blob size in bytes. */
+ size_t intsetBlobLen(intset *is) {
+-    return sizeof(intset)+intrev32ifbe(is->length)*intrev32ifbe(is->encoding);
++    return sizeof(intset)+(size_t)intrev32ifbe(is->length)*intrev32ifbe(is->encoding);
+ }
+ 
+ #ifdef REDIS_TEST
+-- 
+2.23.0
+