Redis [BUG] Buffer overrun in t_zset.c

In the file t_zset.c, the function zzlStrtod (code) has a buffer overrun bug:

double zzlStrtod(unsigned char *vstr, unsigned int vlen) {
    char buf[128];
    if (vlen > sizeof(buf))
        vlen = sizeof(buf);
    memcpy(buf,vstr,vlen);
    buf[vlen] = '\0';
    return strtod(buf,NULL);
 }

When vlen = sizeof(buf), the statement buf[vlen] = '\0' accessing the buffer buf is an off by one error. Thought it may not be directly exploitable, I think this is certainly a bug.

Comment From: oranagra

thanks. i agree it looks kinda harmless (one byte on the stack with value of 0 that doesn't depend on the user's inputs). do you wanna make a pull request to fit that?