Headline
CVE-2020-7105: Null pointer dereferencing in dict.c and async.c · Issue #747 · redis/hiredis
async.c and dict.c in libhiredis.a in hiredis through 0.14.0 allow a NULL pointer dereference because malloc return values are unchecked.
The following code never aborts when malloc is unsuccessful, causing dereferencing of null pointers.
async.c:61
redisCallback *dup = malloc(sizeof(*dup)); memcpy(dup,src,sizeof(*dup)); // dup may be null return dup;
dict.c:75
dict *ht = malloc(sizeof(*ht)); _dictInit(ht,type,privDataPtr); // ht may be null
dict.c:146
entry = malloc(sizeof(*entry)); entry->next = ht->table[index]; // entry may be null
dict.c:261
dictIterator *iter = malloc(sizeof(*iter)); iter->ht = ht; // iter may be null