From 4d17e17fc8480f079990970f85876d70da7cd759 Mon Sep 17 00:00:00 2001
From: michael-grunder <michael.grunder@gmail.com>
Date: Tue, 25 Jan 2022 20:52:57 -0800
Subject: [PATCH 1/2] Fix LZF decompression logic.

Rework how we decompress LZF data.  Previously it was possible to
encounter a double-free, if the error was not E2BIG.
---
 library.c           | 21 ++++++++-------------
 tests/RedisTest.php |  8 ++++++++
 2 files changed, 16 insertions(+), 13 deletions(-)

diff --git a/library.c b/library.c
index 386763ec52..0f09a5929e 100644
--- a/library.c
+++ b/library.c
@@ -3030,27 +3030,22 @@ redis_uncompress(RedisSock *redis_sock, char **dst, size_t *dstlen, const char *
         case REDIS_COMPRESSION_LZF:
 #ifdef HAVE_REDIS_LZF
             {
-                char *data;
-                int i;
+                char *data = NULL;
                 uint32_t res;
+                int i = 2;
 
                 if (len == 0)
                     break;
 
-                /* start from two-times bigger buffer and
-                 * increase it exponentially  if needed */
+                /* Grow our buffer until we succeed or get a non E2BIG error */
                 errno = E2BIG;
                 for (i = 2; errno == E2BIG; i *= 2) {
-                    data = emalloc(i * len);
-                    if ((res = lzf_decompress(src, len, data, i * len)) == 0) {
-                        /* errno != E2BIG will brake for loop */
-                        efree(data);
-                        continue;
+                    data = erealloc(data, len * i);
+                    if ((res = lzf_decompress(src, len, data, len * i)) > 0) {
+                        *dst = data;
+                        *dstlen = res;
+                        return 1;
                     }
-
-                    *dst = data;
-                    *dstlen = res;
-                    return 1;
                 }
 
                 efree(data);
diff --git a/tests/RedisTest.php b/tests/RedisTest.php
index 66b51f7fc5..6a5f4153ad 100644
--- a/tests/RedisTest.php
+++ b/tests/RedisTest.php
@@ -4730,6 +4730,14 @@ public function testCompressionLZF()
         if (!defined('Redis::COMPRESSION_LZF')) {
             $this->markTestSkipped();
         }
+
+        /* Don't crash on improperly compressed LZF data */
+        $payload = 'not-actually-lzf-compressed';
+        $this->redis->set('badlzf', $payload);
+        $this->redis->setOption(Redis::OPT_COMPRESSION, Redis::COMPRESSION_LZF);
+        $this->assertEquals($payload, $this->redis->get('badlzf'));
+        $this->redis->setOption(Redis::OPT_COMPRESSION, Redis::COMPRESSION_NONE);
+
         $this->checkCompression(Redis::COMPRESSION_LZF, 0);
     }
 

From 66986cea03b09373bb72b9b4d84910d950e532d0 Mon Sep 17 00:00:00 2001
From: Michael Grunder <michael.grunder@gmail.com>
Date: Wed, 26 Jan 2022 09:41:37 -0800
Subject: [PATCH 2/2] .

---
 library.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/library.c b/library.c
index 0f09a5929e..440306ea8d 100644
--- a/library.c
+++ b/library.c
@@ -3032,7 +3032,7 @@ redis_uncompress(RedisSock *redis_sock, char **dst, size_t *dstlen, const char *
             {
                 char *data = NULL;
                 uint32_t res;
-                int i = 2;
+                int i;
 
                 if (len == 0)
                     break;