From: antirez <antirez@gmail.com>
Date: Sun, 19 Dec 2010 11:22:12 +0000 (+0100)
Subject: overflow detection in INCR family functions
X-Git-Url: https://git.saurik.com/redis.git/commitdiff_plain/9d7165e885b3de44577dea2917bb4f3afa2ed335?hp=--cc

overflow detection in INCR family functions
---

9d7165e885b3de44577dea2917bb4f3afa2ed335
diff --git a/src/t_string.c b/src/t_string.c
index eb080c88..c3e3607f 100644
--- a/src/t_string.c
+++ b/src/t_string.c
@@ -346,14 +346,19 @@ void msetnxCommand(redisClient *c) {
 }
 
 void incrDecrCommand(redisClient *c, long long incr) {
-    long long value;
+    long long value, oldvalue;
     robj *o;
 
     o = lookupKeyWrite(c->db,c->argv[1]);
     if (o != NULL && checkType(c,o,REDIS_STRING)) return;
     if (getLongLongFromObjectOrReply(c,o,&value,NULL) != REDIS_OK) return;
 
+    oldvalue = value;
     value += incr;
+    if ((incr < 0 && value > oldvalue) || (incr > 0 && value < oldvalue)) {
+        addReplyError(c,"increment or decrement would overflow");
+        return;
+    }
     o = createStringObjectFromLongLong(value);
     dbReplace(c->db,c->argv[1],o);
     touchWatchedKey(c->db,c->argv[1]);