Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-20319

Crash on manipulating MinKey and MaxKey's singleton

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Done
    • Priority: Icon: Major - P3 Major - P3
    • 3.1.9
    • Affects Version/s: 3.1.7
    • Component/s: JavaScript
    • Fully Compatible
    • ALL
    • Hide

      Run 

      db.eval("MinKey().__proto__.singleton = 1000; MinKey()")
      Show
      Run db.eval("MinKey().__proto__.singleton = 1000; MinKey()")
    • Platform 9 (09/18/15)

      It appears that the use of JS::RootedValue::toObjectOrNull can have unpredictable results when the value in question is not an object. MinKeyInfo::call and MaxKeyInfo::call use this function on a value in the prototype without checking the types. If the user has altered the value on the prototype, the system may fail with a stacktrace.

            Assignee:
            mira.carey@mongodb.com Mira Carey
            Reporter:
            spencer.jackson@mongodb.com Spencer Jackson
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: