From d4c0a970e7038c11631acbc6a8b3fbae118cabcc Mon Sep 17 00:00:00 2001
From: Oran Agra <oran@redislabs.com>
Date: Tue, 28 Feb 2023 15:15:46 +0200
Subject: [PATCH] Integer Overflow in RAND commands can lead to assertion
 (CVE-2023-25155) (#11857)

Issue happens when passing a negative long value that greater than
the max positive value that the long can store.
---
 src/t_hash.cpp           | 6 +++---
 src/t_set.cpp            | 2 +-
 src/t_zset.cpp           | 6 +++---
 tests/unit/type/hash.tcl | 2 ++
 tests/unit/type/set.tcl  | 5 +++++
 tests/unit/type/zset.tcl | 2 ++
 6 files changed, 16 insertions(+), 7 deletions(-)

diff --git a/src/t_hash.cpp b/src/t_hash.cpp
index ed1bb4d63..1d152c463 100644
--- a/src/t_hash.cpp
+++ b/src/t_hash.cpp
@@ -1221,13 +1221,13 @@ void hrandfieldCommand(client *c) {
     ziplistEntry ele;
 
     if (c->argc >= 3) {
-        if (getLongFromObjectOrReply(c,c->argv[2],&l,NULL) != C_OK) return;
-        if (c->argc > 4 || (c->argc == 4 && strcasecmp(szFromObj(c->argv[3]),"withvalues"))) {
+        if (getRangeLongFromObjectOrReply(c,c->argv[2],-LONG_MAX,LONG_MAX,&l,NULL) != C_OK) return;
+        if (c->argc > 4 || (c->argc == 4 && strcasecmp(c->argv[3]->ptr,"withvalues"))) {
             addReplyErrorObject(c,shared.syntaxerr);
             return;
         } else if (c->argc == 4) {
             withvalues = 1;
-            if (l < LONG_MIN/2 || l > LONG_MAX/2) {
+            if (l < -LONG_MAX/2 || l > LONG_MAX/2) {
                 addReplyError(c,"value is out of range");
                 return;
             }
diff --git a/src/t_set.cpp b/src/t_set.cpp
index 23b161c10..9d69ca9c7 100644
--- a/src/t_set.cpp
+++ b/src/t_set.cpp
@@ -672,7 +672,7 @@ void srandmemberWithCountCommand(client *c) {
 
     dict *d;
 
-    if (getLongFromObjectOrReply(c,c->argv[2],&l,NULL) != C_OK) return;
+    if (getRangeLongFromObjectOrReply(c,c->argv[2],-LONG_MAX,LONG_MAX,&l,NULL) != C_OK) return;
     if (l >= 0) {
         count = (unsigned long) l;
     } else {
diff --git a/src/t_zset.cpp b/src/t_zset.cpp
index 4d351da45..c1ceaeb81 100644
--- a/src/t_zset.cpp
+++ b/src/t_zset.cpp
@@ -4210,13 +4210,13 @@ void zrandmemberCommand(client *c) {
     ziplistEntry ele;
 
     if (c->argc >= 3) {
-        if (getLongFromObjectOrReply(c,c->argv[2],&l,NULL) != C_OK) return;
-        if (c->argc > 4 || (c->argc == 4 && strcasecmp(szFromObj(c->argv[3]),"withscores"))) {
+        if (getRangeLongFromObjectOrReply(c,c->argv[2],-LONG_MAX,LONG_MAX,&l,NULL) != C_OK) return;
+        if (c->argc > 4 || (c->argc == 4 && strcasecmp(c->argv[3]->ptr,"withscores"))) {
             addReplyErrorObject(c,shared.syntaxerr);
             return;
         } else if (c->argc == 4) {
             withscores = 1;
-            if (l < LONG_MIN/2 || l > LONG_MAX/2) {
+            if (l < -LONG_MAX/2 || l > LONG_MAX/2) {
                 addReplyError(c,"value is out of range");
                 return;
             }
diff --git a/tests/unit/type/hash.tcl b/tests/unit/type/hash.tcl
index 091b1cee1..76a1e53df 100644
--- a/tests/unit/type/hash.tcl
+++ b/tests/unit/type/hash.tcl
@@ -71,6 +71,8 @@ start_server {tags {"hash"}} {
     test "HRANDFIELD count overflow" {
         r hmset myhash a 1
         assert_error {*value is out of range*} {r hrandfield myhash -9223372036854770000 withvalues}
+        assert_error {*value is out of range*} {r hrandfield myhash -9223372036854775808 withvalues}
+        assert_error {*value is out of range*} {r hrandfield myhash -9223372036854775808}
     } {}
 
     test "HRANDFIELD with <count> against non existing key" {
diff --git a/tests/unit/type/set.tcl b/tests/unit/type/set.tcl
index ee7b936b5..a24b4c601 100644
--- a/tests/unit/type/set.tcl
+++ b/tests/unit/type/set.tcl
@@ -588,6 +588,11 @@ start_server {
         r srandmember nonexisting_key 100
     } {}
 
+    test "SRANDMEMBER count overflow" {
+        r sadd myset a
+        assert_error {*value is out of range*} {r srandmember myset -9223372036854775808}
+    } {}
+
     # Make sure we can distinguish between an empty array and a null response
     r readraw 1
 
diff --git a/tests/unit/type/zset.tcl b/tests/unit/type/zset.tcl
index 5ea619ea3..02184fc8c 100644
--- a/tests/unit/type/zset.tcl
+++ b/tests/unit/type/zset.tcl
@@ -1717,6 +1717,8 @@ start_server {tags {"zset"}} {
     test "ZRANDMEMBER count overflow" {
         r zadd myzset 0 a
         assert_error {*value is out of range*} {r zrandmember myzset -9223372036854770000 withscores}
+        assert_error {*value is out of range*} {r zrandmember myzset -9223372036854775808 withscores}
+        assert_error {*value is out of range*} {r zrandmember myzset -9223372036854775808}
     } {}
 
     # Make sure we can distinguish between an empty array and a null response