From d7264aaf0538bfdd0986367bb71a857ee497ee9d Mon Sep 17 00:00:00 2001
From: yanghuan <673020559@qq.com>
Date: Wed, 18 May 2022 11:01:10 +0800
Subject: [PATCH] [sync] PR-19: fix CVE-2022-24736

---
 CVE-2022-24736.patch | 37 +++++++++++++++++++++++++++++++++++++
 redis6.spec          |  7 ++++++-
 2 files changed, 43 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2022-24736.patch

diff --git a/CVE-2022-24736.patch b/CVE-2022-24736.patch
new file mode 100644
index 0000000..c0ecf93
--- /dev/null
+++ b/CVE-2022-24736.patch
@@ -0,0 +1,37 @@
+diff -Naru redis-6.0.11/src/scripting.c redis-6.0.11-new/src/scripting.c
+--- redis-6.0.11/src/scripting.c	2021-02-23 07:35:37.000000000 +0800
++++ redis-6.0.11-new/src/scripting.c	2022-05-17 11:19:01.133330000 +0800
+@@ -558,7 +558,10 @@
+         inuse--;
+         return raise_error ? luaRaiseError(lua) : 1;
+     }
+-
++    
++    /* Pop all arguments from the stack, we do not need them anymore
++     * and this way we guaranty we will have room on the stack for the result. */
++    lua_pop(lua, argc);
+     /* Setup our fake client for command execution */
+     c->argv = argv;
+     c->argc = argc;
+@@ -624,6 +627,7 @@
+      * command marked as non-deterministic was already called in the context
+      * of this script. */
+     if (cmd->flags & CMD_WRITE) {
++        /* Deny writes if we're unale to persist. */
+         int deny_write_type = writeCommandsDeniedByDiskError();
+         if (server.lua_random_dirty && !server.lua_replicate_commands) {
+             luaPushError(lua,
+@@ -646,6 +650,13 @@
+                 sdsfree(aof_write_err);
+             }
+             goto cleanup;
++        } else if (server.masterhost == NULL &&
++                   server.repl_min_slaves_max_lag &&
++                   server.repl_min_slaves_to_write &&
++                   server.repl_good_slaves_count < server.repl_min_slaves_to_write)
++        {
++            luaPushError(lua, shared.noreplicaserr->ptr);
++            goto cleanup;
+         }
+     }
+ 
diff --git a/redis6.spec b/redis6.spec
index 4a8493f..0efd7e2 100644
--- a/redis6.spec
+++ b/redis6.spec
@@ -6,7 +6,7 @@
 %global Pname redis
 Name:                redis6
 Version:             6.0.11
-Release:             6
+Release:             7
 Summary:             A persistent key-value database
 License:             BSD and MIT
 URL:                 https://redis.io
@@ -28,6 +28,7 @@ Patch0005:           CVE-2021-32675.patch
 Patch0006:           CVE-2021-41099.patch
 Patch0007:           CVE-2021-32762.patch
 Patch0008:           fix-help-info.patch
+Patch0009:           CVE-2022-24736.patch
 BuildRequires:       make gcc
 %if %{with tests}
 BuildRequires:       procps-ng tcl
@@ -92,6 +93,7 @@ tar -xvf  %{SOURCE10}
 %patch0005 -p1
 %patch0006 -p1
 %patch0007 -p1
+%patch0009 -p1
 %endif
 %patch0008 -p1
 mv ../%{Pname}-doc-%{doc_commit} doc
@@ -222,6 +224,9 @@ fi
 %{_docdir}/%{Pname}
 
 %changelog
+* Mon May 16 2022 yanghuan <yanghuan92@huawei.com> - 6.0.11-7
+- Fix CVE-2022-24736
+
 * Mon Dec 06 2021 caodongxia <caodongxia@huawei.com> - 6.0.11-6
 - Fix help info 
 
-- 
Gitee