Copilot commented on code in PR #3049:
URL: https://github.com/apache/brpc/pull/3049#discussion_r2244165836


##########
src/brpc/redis_reply.cpp:
##########
@@ -233,14 +233,14 @@ ParseError RedisReply::ConsumePartialIOBuf(butil::IOBuf& 
buf) {
                 _data.array.replies = NULL;
                 return PARSE_OK;
             }
-            int64_t array_size = sizeof(RedisReply) * count;
-            if (array_size > FLAGS_redis_max_allocation_size) {
+            int64_t max_count = FLAGS_redis_max_allocation_size / 
sizeof(RedisReply);
+            if (count > max_count) {
                 LOG(ERROR) << "array allocation exceeds max allocation size! 
max=" 
-                           << FLAGS_redis_max_allocation_size << ", actually=" 
<< array_size;
+                           << max_count << ", count=" << count;
                 return PARSE_ERROR_ABSOLUTELY_WRONG;
             }
             // FIXME(gejun): Call allocate_aligned instead.
-            RedisReply* subs = (RedisReply*)_arena->allocate(array_size);
+            RedisReply* subs = 
(RedisReply*)_arena->allocate(sizeof(RedisReply) * count);

Review Comment:
   The multiplication `sizeof(RedisReply) * count` can still overflow even 
after the check. The check on line 237 prevents overflow only when `count > 
max_count`, but if `count == max_count` and `FLAGS_redis_max_allocation_size` 
is not perfectly divisible by `sizeof(RedisReply)`, the multiplication could 
still result in a value larger than `FLAGS_redis_max_allocation_size`. Consider 
using `_arena->allocate(max_count * sizeof(RedisReply))` when `count == 
max_count`, or ensure the division is exact.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@brpc.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@brpc.apache.org
For additional commands, e-mail: dev-h...@brpc.apache.org

Reply via email to