We tested the newest libbson from master at mongo-c-driver and found crash when parsing corrupted bson buffer.

base64 encoded payload: GAAAAAUOGS4ABAAAAAIAAAAAAAAFDgAAGAAAAAUOGS4ABAAAAAIAAAAAAAAFDgAAGAAAAAUAAAAAAAAFDhkuAAQAAAACAAAA

ASAN report:
==39647==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x607000070068 at pc 0x000000530cc2 bp 0x7ffdde442010 sp 0x7ffdde442008
READ of size 4 at 0x607000070068 thread T0
#0 0x530cc1 in _bson_iter_next_internal /home/xm1994/dive-test/sources/mongo-c-driver-1.12.0/src/libbson/src/bson/bson-iter.c:632:10
#1 0x536986 in bson_iter_visit_all /home/xm1994/dive-test/sources/mongo-c-driver-1.12.0/src/libbson/src/bson/bson-iter.c:1934:11
#2 0x51fcfd in _bson_as_json_visit_all /home/xm1994/dive-test/sources/mongo-c-driver-1.12.0/src/libbson/src/bson/bson.c:3158:8
#3 0x513076 in LLVMFuzzerTestOneInput /home/xm1994/dive-test/sources/mongo-c-driver-1.12.0/fuzz/fuzzer.c:42:13
#4 0x42d6ac in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /local/mnt/workspace/clang_nightly/plain/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:515:13
#5 0x42cf0b in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /local/mnt/workspace/clang_nightly/plain/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:440
:3
#6 0x42e8bd in fuzzer::Fuzzer::MutateAndTestOne() /local/mnt/workspace/clang_nightly/plain/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:648:19
#7 0x42f505 in fuzzer::Fuzzer::Loop(std::vector<std::string, fuzzer::fuzzer_allocator<std::string> > const&) /local/mnt/workspace/clang_nightly/plain/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:77
5:5
#8 0x424363 in fuzzer::FuzzerDriver(int*, char**, int (unsigned char const, unsigned long)) /local/mnt/workspace/clang_nightly/plain/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:754:6
#9 0x445c82 in main /local/mnt/workspace/clang_nightly/plain/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#10 0x7fa8b4624f44 in __libc_start_main /build/eglibc-ripdx6/eglibc-2.19/csu/libc-start.c:287
#11 0x41ce7b in _start (/home/xm1994/dive-test/sources/mongo-c-driver-1.12.0/fuzz/fuzzer+0x41ce7b)

0x607000070068 is located 0 bytes to the right of 72-byte region [0x607000070020,0x607000070068)
allocated by thread T0 here:
#0 0x4e62e3 in __interceptor_malloc /local/mnt/workspace/clang_nightly/plain/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3
#1 0x7fa8b5580697 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x6c697)
#2 0x42cf0b in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /local/mnt/workspace/clang_nightly/plain/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:440
:3
#3 0x42e8bd in fuzzer::Fuzzer::MutateAndTestOne() /local/mnt/workspace/clang_nightly/plain/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:648:19
#4 0x42f505 in fuzzer::Fuzzer::Loop(std::vector<std::string, fuzzer::fuzzer_allocator<std::string> > const&) /local/mnt/workspace/clang_nightly/plain/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:77
5:5
#5 0x424363 in fuzzer::FuzzerDriver(int*, char**, int (unsigned char const, unsigned long)) /local/mnt/workspace/clang_nightly/plain/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:754:6
#6 0x445c82 in main /local/mnt/workspace/clang_nightly/plain/llvm/utils/release/final/llvm.src/projects/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#7 0x7fa8b4624f44 in __libc_start_main /build/eglibc-ripdx6/eglibc-2.19/csu/libc-start.c:287

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/xm1994/dive-test/sources/mongo-c-driver-1.12.0/src/libbson/src/bson/bson-iter.c:632:10 in _bson_iter_next_internal