[3.1] redis: Integer wraparound in lua_struct.c causing stack-based buffer overflow (CVE-2015-8080)
It was found that getnum() function in lua_struct.c is vulnerable to
integer overflow that
can be used to trigger stack-based buffer overflow. getnum() can be
tricked into an integer
wraparound with a large size number as input, thus returning a negative
value.
This affects all released versions of redis in both 2.8 and 3.0
branches.
2.8.23 and 3.0.5 is affected.
References:
https://github.com/antirez/redis/issues/2855
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2015-8080
(from redmine: issue id 4946, created on 2015-12-10, closed on 2015-12-19)
- Relations:
- parent #4943 (closed)