From 08aed7e7dd1c338e5fb69a10b8ae09a0ec11e96a Mon Sep 17 00:00:00 2001 From: yiyuaner Date: Tue, 22 Mar 2022 16:46:16 +0800 Subject: [PATCH] Fix an off by one error in zzlStrtod (#10465) When vlen = sizeof(buf), the statement buf[vlen] = '\0' accessing the buffer buf is an off by one error. --- src/t_zset.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/t_zset.c b/src/t_zset.c index dd0678f7a..3710b62d7 100644 --- a/src/t_zset.c +++ b/src/t_zset.c @@ -721,8 +721,8 @@ zskiplistNode *zslLastInLexRange(zskiplist *zsl, zlexrangespec *range) { double zzlStrtod(unsigned char *vstr, unsigned int vlen) { char buf[128]; - if (vlen > sizeof(buf)) - vlen = sizeof(buf); + if (vlen > sizeof(buf) - 1) + vlen = sizeof(buf) - 1; memcpy(buf,vstr,vlen); buf[vlen] = '\0'; return strtod(buf,NULL);