From da1360383cee326aa4c1b9c284fa91fa08cc55d7 Mon Sep 17 00:00:00 2001
From: John Sully <john@csquare.ca>
Date: Wed, 21 Apr 2021 01:19:29 +0000
Subject: [PATCH] Fix issue where we reply a dangling pointer

Former-commit-id: fd11e490c39fe876d979eace5eaec56c645cdfcf
---
 src/db.cpp | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/db.cpp b/src/db.cpp
index 00a001877..afed04ee8 100644
--- a/src/db.cpp
+++ b/src/db.cpp
@@ -3076,6 +3076,7 @@ bool redisDbPersistentData::prefetchKeysAsync(client *c, parsed_command &command
         }
     }
 
+    bool fNoInsert = false;
     if (!vecInserts.empty()) {
         lock.arm(c);
         for (auto &tuple : vecInserts)
@@ -3091,9 +3092,16 @@ bool redisDbPersistentData::prefetchKeysAsync(client *c, parsed_command &command
                     // While unlocked this was already ensured
                     decrRefCount(o);
                     sdsfree(sharedKey);
+                    fNoInsert = true;
                 }
                 else
                 {
+                    if (spexpire != nullptr) {
+                        if (spexpire->when() < mstime()) {
+                            fNoInsert = true;
+                            break;
+                        }
+                    }
                     dictAdd(m_pdict, sharedKey, o);
                     o->SetFExpires(spexpire != nullptr);
 
@@ -3117,7 +3125,7 @@ bool redisDbPersistentData::prefetchKeysAsync(client *c, parsed_command &command
         lock.disarm();
     }
 
-    if (fExecOK && cmd->proc == getCommand && !vecInserts.empty()) {
+    if (fExecOK && !fNoInsert && cmd->proc == getCommand && !vecInserts.empty()) {
         robj *o = std::get<1>(vecInserts[0]);
         if (o != nullptr) {
             addReplyBulk(c, o);