[SERVER-12813] Overflow when converting double values in user input to long long values - MongoDB Jira

XML

Word

Printable

JSON

If 'batchSize' argument in cursor exceeds some value, it overflows, being considered negative.

> use foo

switched to db foo

> var bigArray = [];

> for (var i = 0; i < 1000; ++i) { bigArray.push(i); }

> var bigStr = Array(1001).toString();

> for (var i = 0; i < 100; ++i) { db.goo.insert({_id: i, bigArray: bigArray, bigStr: bigStr})};

WriteResult({ "nInserted" : 1 })

> var cursor = db.runCommand({aggregate: "goo", pipeline: [{$unwind:'$bigArray'}], cursor : {batchSize : Math.pow(2, 63)}})

> cursor

	"errmsg" : "exception: Cursor batchSize must not be negative",

	"code" : 16957,

	"ok" : 0

> var cursor = db.runCommand({aggregate: "goo", pipeline: [{$unwind:'$bigArray'}], cursor : {batchSize : Math.pow(2, 62)}})

> cursor

	"cursor" : {

		"id" : NumberLong(0),

		"ns" : "test.goo",

		"firstBatch" : [ ..... ]

},

	"ok" : 1

> print(Math.pow(2, 63))

9223372036854776000

is related to

SERVER-26148 Commands should convert integers from user input safely

SERVER-12814 Aggregation: cursor batchSize NaN is considered a negative number

SERVER-25188 Add non-debug UBSan variant for jstestfuzz tasks

related to

SERVER-35596 "max" field of the createCollection command should be sanitized prior to being interpreted as a long long

Participants:: Backlog - Query Optimization, Charlie Swanson, Davide Italiano, Max Hirschhorn, Steve Tarzia