Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-20319

Crash on manipulating MinKey and MaxKey's singleton

    XMLWordPrintableJSON

Details

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major - P3 Major - P3
    • 3.1.9
    • 3.1.7
    • JavaScript
    • Fully Compatible
    • ALL
    • Hide

      Run

      db.eval("MinKey().__proto__.singleton = 1000; MinKey()")
      

      Show
      Run db.eval("MinKey().__proto__.singleton = 1000; MinKey()")
    • Platform 9 (09/18/15)

    Description

      It appears that the use of JS::RootedValue::toObjectOrNull can have unpredictable results when the value in question is not an object. MinKeyInfo::call and MaxKeyInfo::call use this function on a value in the prototype without checking the types. If the user has altered the value on the prototype, the system may fail with a stacktrace.

      Attachments

        Activity

          People

            mira.carey@mongodb.com Mira Carey
            spencer.jackson@mongodb.com Spencer Jackson
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: