Redis [BUG] rdbWriteRaw retval overflow

Describe the bug

https://github.com/redis/redis/blob/unstable/src/rdb.c#L97 rdbWriteRaw input parameter len is type size_t, but return an int. If we write data over 2GB, the retval of rdbWriteRaw will overflow. And may cause rdb format error. Such as: https://github.com/redis/redis/blob/unstable/src/rdb.c#L447 The rdbSaveLzfStringObject will return a big negative number, but we just cover the situation of n==-1 and n>0. If rdbWriteRaw overflow, the string will be written twice, the first is compressed, the other is plain. The rdb format will mismatch and cause serverpanic on loading rdb.

Additional information

Even if the redis limit size of string and bitmap less than 512M, there are some modules could exceed the limit.

I found this problem by using RedisBloom. There is the same issue caused by this bug.

Comment From: ShooterIT

hi @liguangbo I think you can submit a PR to fix this problem

Comment From: liguangbo

hi @liguangbo I think you can submit a PR to fix this problem

But I want to get some advice on this.

Change rdbWriteRaw return value from int to size_t will affect lots of function call, need more check and test. Or just adjust the rdbSaveLzfStringObject if segment to cover situation of n<0 can also fix this temporary.

Comment From: ShooterIT

I think we should change the rdbWriteRaw return value type form int to ssize_t(instead of size_t) Because we also need to handle https://github.com/redis/redis/blob/unstable/src/rdb.c#L458, and we should not hide bug we already know.