From 862e03978c79ac105b95b8c6d068287156b8c604 Mon Sep 17 00:00:00 2001
From: Ran Shidlansik <ranshid@amazon.com>
Date: Mon, 11 Aug 2025 11:32:48 +0300
Subject: [PATCH] Fix out-of-bound memory access when num-fields is not
 provided

Signed-off-by: Ran Shidlansik <ranshid@amazon.com>
---
 src/t_hash.c              |  6 +++---
 tests/unit/hashexpire.tcl | 10 ++++++++++
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/src/t_hash.c b/src/t_hash.c
index f0f363075f7..4cca69525f8 100644
--- a/src/t_hash.c
+++ b/src/t_hash.c
@@ -1191,7 +1191,7 @@ void hsetexCommand(client *c) {
     robj **new_argv = NULL;
     int new_argc = 0;
 
-    for (; fields_index < c->argc; fields_index++) {
+    for (; fields_index < c->argc - 1; fields_index++) {
         if (!strcasecmp(c->argv[fields_index]->ptr, "fields")) {
             /* checking optional flags */
             if (parseExtendedCommandArgumentsOrReply(c, &flags, &unit, &expire, &comparison, COMMAND_HSET, fields_index++) != C_OK) return;
@@ -1358,7 +1358,7 @@ void hgetexCommand(client *c) {
     int new_argc = 0;
     int milliseconds_index = -1, numitems_index = -1;
 
-    for (; fields_index < c->argc; fields_index++) {
+    for (; fields_index < c->argc - 1; fields_index++) {
         if (!strcasecmp(c->argv[fields_index]->ptr, "fields")) {
             /* checking optional flags */
             if (parseExtendedCommandArgumentsOrReply(c, &flags, &unit, &expire, &comparison, COMMAND_HGET, fields_index++) != C_OK) return;
@@ -1611,7 +1611,7 @@ void hexpireGenericCommand(client *c, long long basetime, int unit) {
     robj **new_argv = NULL;
     int new_argc = 0;
 
-    for (; fields_index < c->argc; fields_index++) {
+    for (; fields_index < c->argc - 1; fields_index++) {
         if (!strcasecmp(c->argv[fields_index]->ptr, "fields")) {
             /* checking optional flags */
             if (parseExtendedExpireArgumentsOrReply(c, &flag, fields_index++) != C_OK) return;
diff --git a/tests/unit/hashexpire.tcl b/tests/unit/hashexpire.tcl
index cd91e7bbc2d..5d61c63a431 100644
--- a/tests/unit/hashexpire.tcl
+++ b/tests/unit/hashexpire.tcl
@@ -2053,6 +2053,16 @@ start_server {tags {"hashexpire"}} {
         assert_morethan [r HTTL myhash FIELDS 1 f1] 0
         assert_equal 1 [get_keys_with_volatile_items r]
     }
+
+    test {Verify error when hash expire commands num fields is not provided} {
+        r FLUSHALL
+        catch {r hsetex myhash KEEPTTL KEEPTTL KEEPTTL FIELDS} e
+        assert_match $e {ERR numfields should be greater than 0 and match the provided number of fields}
+        catch {r hexpire myhash 10 NX NX FIELDS} e
+        assert_match $e {ERR numfields should be greater than 0 and match the provided number of fields}
+        catch {r hgetex myhash PERSIST PERSIST FIELDS} e
+        assert_match $e {ERR numfields should be greater than 0 and match the provided number of fields}
+    }
 }
 
 ####### Test info