Fix integer overflow bug in Lua bit_tohex

Fix for CVE-2024-31449 This patch was provided to us by Valkey, who received it from Redis Ltd. > An authenticated user may use a specially crafted Lua script to > trigger a stack buffer overflow in the bit library, which may > potentially lead to remote code execution. Fixes: https://codeberg.org/redict/redict/issues/55 Signed-off-by: Drew DeVault <sir@cmpwn.com>
2025-01-21 23:58:51 -05:00 · 2024-09-16 09:06:20 +02:00 · 2024-09-16 09:06:20 +02:00 · c09bc5df79
commit c09bc5df79
parent e035e7b763
2 changed files with 7 additions and 0 deletions
--- a/deps/lua/src/lua_bit.c
+++ b/deps/lua/src/lua_bit.c
@ -132,6 +132,7 @@ static int bit_tohex(lua_State *L)
  const char *hexdigits = "0123456789abcdef";
  char buf[8];
  int i;
+  if (n == INT32_MIN) n = INT32_MIN+1;
  if (n < 0) { n = -n; hexdigits = "0123456789ABCDEF"; }
  if (n > 8) n = 8;
  for (i = (int)n; --i >= 0; ) { buf[i] = hexdigits[b & 15]; b >>= 4; }
--- a/tests/unit/scripting.tcl
+++ b/tests/unit/scripting.tcl
@ -699,6 +699,12 @@ start_server {tags {"scripting"}} {
        set e
    } {ERR *Attempt to modify a readonly table*}

+    test {lua bit.tohex bug} {
+        set res [run_script {return bit.tohex(65535, -2147483648)} 0]
+        r ping
+        set res
+    } {0000FFFF}
+
    test {Test an example script DECR_IF_GT} {
        set decr_if_gt {
            local current