From be86082be4c79922906a1261228a8e7df4279a86 Mon Sep 17 00:00:00 2001
From: antirez <antirez@gmail.com>
Date: Thu, 27 Jan 2011 10:27:25 +0100
Subject: [PATCH] Fixed a theoretical non exploitable security bug reported by
 @chrisrohlf. In theory if we undefine SDS_ABORT_ON_OOM from sds.c AND modify
 zmalloc.c in order to don't quit on out of memory (but this would break every
 other part of Redis), on out of memory there is a possible heap overflow.

---
 src/sds.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/sds.c b/src/sds.c
index da049f6c..67e2d456 100644
--- a/src/sds.c
+++ b/src/sds.c
@@ -305,7 +305,10 @@ sds *sdssplitlen(char *s, int len, char *sep, int seplen, int *count) {
 #ifdef SDS_ABORT_ON_OOM
     if (tokens == NULL) sdsOomAbort();
 #endif
-    if (seplen < 1 || len < 0 || tokens == NULL) return NULL;
+    if (seplen < 1 || len < 0 || tokens == NULL) {
+        *count = 0;
+        return NULL;
+    }
     if (len == 0) {
         *count = 0;
         return tokens;
@@ -360,6 +363,7 @@ cleanup:
         int i;
         for (i = 0; i < elements; i++) sdsfree(tokens[i]);
         zfree(tokens);
+        *count = 0;
         return NULL;
     }
 #endif
-- 
2.47.2