fixed a refcounting bug with SORT ... STORE leading to random crashes

Author: root

dict.c

@@ -226,21 +226,24 @@ int dictAdd(dict *ht, void *key, void *val)
     return DICT_OK;
 }
 
-/* Add an element, discarding the old if the key already exists */
+/* Add an element, discarding the old if the key already exists.
+ * Return 1 if the key was added from scratch, 0 if there was already an
+ * element with such key and dictReplace() just performed a value update
+ * operation. */
 int dictReplace(dict *ht, void *key, void *val)
 {
     dictEntry *entry;
 
     /* Try to add the element. If the key
      * does not exists dictAdd will suceed. */
     if (dictAdd(ht, key, val) == DICT_OK)
-        return DICT_OK;
+        return 1;
     /* It already exists, get the entry */
     entry = dictFind(ht, key);
     /* Free the old value and set the new one */
     dictFreeEntryVal(ht, entry);
     dictSetHashVal(ht, entry, val);
-    return DICT_OK;
+    return 0;
 }
 
 /* Search and remove an element */

redis.c

@@ -4664,7 +4664,9 @@ static void sortCommand(redisClient *c) {
                 }
             }
         }
-        dictReplace(c->db->dict,storekey,listObject);
+        if (dictReplace(c->db->dict,storekey,listObject)) {
+            incrRefCount(storekey);
+        }
         /* Note: we add 1 because the DB is dirty anyway since even if the
          * SORT result is empty a new key is set and maybe the old content
          * replaced. */