From c09bc5df7977aef8dba59d6c44e971fe711a71a0 Mon Sep 17 00:00:00 2001
From: Drew DeVault <sir@cmpwn.com>
Date: Mon, 16 Sep 2024 09:06:20 +0200
Subject: [PATCH] Fix integer overflow bug in Lua bit_tohex

Fix for CVE-2024-31449

This patch was provided to us by Valkey, who received it from Redis Ltd.

> An authenticated user may use a specially crafted Lua script to
> trigger a stack buffer overflow in the bit library, which may
> potentially lead to remote code execution.

Fixes: https://codeberg.org/redict/redict/issues/55

Signed-off-by: Drew DeVault <sir@cmpwn.com>
---
 deps/lua/src/lua_bit.c   | 1 +
 tests/unit/scripting.tcl | 6 ++++++
 2 files changed, 7 insertions(+)

diff --git a/deps/lua/src/lua_bit.c b/deps/lua/src/lua_bit.c
index 9f83b8594..7e43faea4 100644
--- a/deps/lua/src/lua_bit.c
+++ b/deps/lua/src/lua_bit.c
@@ -132,6 +132,7 @@ static int bit_tohex(lua_State *L)
   const char *hexdigits = "0123456789abcdef";
   char buf[8];
   int i;
+  if (n == INT32_MIN) n = INT32_MIN+1;
   if (n < 0) { n = -n; hexdigits = "0123456789ABCDEF"; }
   if (n > 8) n = 8;
   for (i = (int)n; --i >= 0; ) { buf[i] = hexdigits[b & 15]; b >>= 4; }
diff --git a/tests/unit/scripting.tcl b/tests/unit/scripting.tcl
index 87a1e5656..0b4846908 100644
--- a/tests/unit/scripting.tcl
+++ b/tests/unit/scripting.tcl
@@ -699,6 +699,12 @@ start_server {tags {"scripting"}} {
         set e
     } {ERR *Attempt to modify a readonly table*}
 
+    test {lua bit.tohex bug} {
+        set res [run_script {return bit.tohex(65535, -2147483648)} 0]
+        r ping
+        set res
+    } {0000FFFF}
+
     test {Test an example script DECR_IF_GT} {
         set decr_if_gt {
             local current