Details
-
Bug
-
Resolution: Fixed
-
Major - P3
-
3.4.10, 3.6.0
-
Fully Compatible
-
ALL
-
v3.6, v3.4
Description
During optimization, $skip will combine itself with an adjacent $skip, and the new value to skip is the sum of the two. However, the addition is performed without overflow checking. The skip value is stored as a long long, which means that we hit undefined behavior in the event of overflow.
The unsafe code is in DocumentSourceSkip::doOptimizeAt() in v3.6 and v3.4.
Attachments
Issue Links
- links to