From 3a8d13760ad2b474d4d5e5414e23894cbb7c9a7d Mon Sep 17 00:00:00 2001
From: John Sully <john@csquare.ca>
Date: Sat, 28 Sep 2019 17:38:26 -0400
Subject: [PATCH] Fix double free in RDB load

Former-commit-id: 070c4818715b56645855abb72af47c846fc63027
---
 src/rdb.cpp | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/rdb.cpp b/src/rdb.cpp
index b983167a4..ee61b3f19 100644
--- a/src/rdb.cpp
+++ b/src/rdb.cpp
@@ -2107,7 +2107,10 @@ int rdbLoadRio(rio *rdb, rdbSaveInfo *rsi, int loading_aof) {
 
         /* Read key */
         if (key != nullptr)
+        {
             decrRefCount(key);
+            key = nullptr;
+        }
 
         if ((key = rdbLoadStringObject(rdb)) == NULL) goto eoferr;
         /* Read value */
@@ -2119,7 +2122,9 @@ int rdbLoadRio(rio *rdb, rdbSaveInfo *rsi, int loading_aof) {
          * snapshot taken by the master may not be reflected on the slave. */
         if (listLength(g_pserver->masters) == 0 && !loading_aof && expiretime != -1 && expiretime < now) {
             decrRefCount(key);
+            key = nullptr;
             decrRefCount(val);
+            val = nullptr;
         } else {
             /* Add the new object in the hash table */
             int fInserted = dbMerge(db, key, val, rsi->fForceSetKey);   // Note: dbMerge will incrRef
@@ -2136,6 +2141,7 @@ int rdbLoadRio(rio *rdb, rdbSaveInfo *rsi, int loading_aof) {
             else
             {
                 decrRefCount(val);
+                val = nullptr;
             }
         }