From 399a6b2b471cac481b00673e317fd585bd13d41f Mon Sep 17 00:00:00 2001
From: antirez <antirez@gmail.com>
Date: Thu, 9 Apr 2020 16:20:41 +0200
Subject: [PATCH] incrRefCount(): abort on statically allocated object.

---
 src/object.c | 10 +++++++++-
 src/server.h |  4 +++-
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/src/object.c b/src/object.c
index 52d5b11f5..1bc400e85 100644
--- a/src/object.c
+++ b/src/object.c
@@ -347,7 +347,15 @@ void freeStreamObject(robj *o) {
 }
 
 void incrRefCount(robj *o) {
-    if (o->refcount != OBJ_SHARED_REFCOUNT) o->refcount++;
+    if (o->refcount < OBJ_FIRST_SPECIAL_REFCOUNT) {
+        o->refcount++;
+    } else {
+        if (o->refcount == OBJ_SHARED_REFCOUNT) {
+            /* Nothing to do: this refcount is immutable. */
+        } else if (o->refcount == OBJ_STATIC_REFCOUNT) {
+            serverPanic("You tried to retain an object allocated in the stack");
+        }
+    }
 }
 
 void decrRefCount(robj *o) {
diff --git a/src/server.h b/src/server.h
index b8c46153d..9691381c3 100644
--- a/src/server.h
+++ b/src/server.h
@@ -597,7 +597,9 @@ typedef struct RedisModuleDigest {
 #define LRU_CLOCK_MAX ((1<<LRU_BITS)-1) /* Max value of obj->lru */
 #define LRU_CLOCK_RESOLUTION 1000 /* LRU clock resolution in ms */
 
-#define OBJ_SHARED_REFCOUNT INT_MAX
+#define OBJ_SHARED_REFCOUNT INT_MAX     /* Global object never destroyed. */
+#define OBJ_STATIC_REFCOUNT (INT_MAX-1) /* Object allocated in the stack. */
+#define OBJ_FIRST_SPECIAL_REFCOUNT OBJ_STATIC_REFCOUNT
 typedef struct redisObject {
     unsigned type:4;
     unsigned encoding:4;