From e1d35aca01c4240fa6c3feac55b00e9c1640abc0 Mon Sep 17 00:00:00 2001
From: Moti Cohen <moticless@gmail.com>
Date: Mon, 13 Apr 2026 09:46:46 +0300
Subject: [PATCH] Fix HEXPIRE numfields overflow (#15021)

Validate HEXPIRE-family field counts without parser overflow
keep flexible option order; only require fields fit in argv
add tests for INT_MAX numfields across HEXPIRE/HPEXPIRE/HEXPIREAT/HPEXPIREAT
---
 src/t_hash.c                          | 5 +++--
 tests/unit/type/hash-field-expire.tcl | 5 +++++
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/t_hash.c b/src/t_hash.c
index acfa6c6a9..e258eb71f 100644
--- a/src/t_hash.c
+++ b/src/t_hash.c
@@ -3608,15 +3608,16 @@ static int parseHashCommandArgs(client *c, HashCommandArgs *args,
                                               &numFields, "Parameter `numFields` should be greater than 0") != C_OK)
                 return C_ERR;
 
-            args->fieldCount = (int)numFields;
             args->firstFieldPos = i + 2;
 
             /* Check bounds - we must have exactly the right number of fields */
-            if (args->firstFieldPos + args->fieldCount > c->argc) {
+            if (numFields > c->argc - args->firstFieldPos) {
                 addReplyError(c, "wrong number of arguments");
                 return C_ERR;
             }
 
+            args->fieldCount = (int)numFields;
+
             /* Skip over the field arguments */
             i = args->firstFieldPos + args->fieldCount - 1;
             continue;
diff --git a/tests/unit/type/hash-field-expire.tcl b/tests/unit/type/hash-field-expire.tcl
index 7f3520e80..e1ba72019 100644
--- a/tests/unit/type/hash-field-expire.tcl
+++ b/tests/unit/type/hash-field-expire.tcl
@@ -2359,6 +2359,11 @@ start_server {tags {"hash"}} {
             assert_error {*Parameter*numFields*should be greater than 0*} {r HEXPIRE myhash 60 FIELDS -1 f1}
             assert_error {*invalid number of fields*} {r HSETEX myhash FIELDS 0 f1 v1 EX 60}
             assert_error {*invalid number of fields*} {r HGETEX myhash FIELDS 0 f1 EX 60}
+            set future_sec [expr {[clock seconds] + 60}]
+            set future_ms [expr {[clock milliseconds] + 60000}]
+            foreach {cmd expire} [list HEXPIRE 60 HPEXPIRE 60000 HEXPIREAT $future_sec HPEXPIREAT $future_ms] {
+                assert_error {*wrong number of arguments*} [list r $cmd myhash $expire FIELDS 2147483647 f1]
+            }
 
             # Test missing FIELDS keyword
             assert_error {*unknown argument*} {r HEXPIRE myhash 60 2 f1 f2}