Loading...

XML

Word

Printable

JSON

Type: Bug
Resolution: Fixed
Priority: Major - P3
Fix Version/s: 4.0.11, 4.2.0-rc1, 4.3.1
Affects Version/s: 4.0.9, 4.1.10
Component/s: Querying
Labels:
- afz

Backwards Compatibility:
Fully Compatible
Operating System:
ALL
Backport Requested:

v4.2, v4.0, v3.6, v3.4
Linked BF Score:
7
Confidence Status:
None
Work Order:
3

Aha! Reference:
None
Tracking Level:
None
Risk Status:
None
Exec Notes:
None
Goal Name:
None
Goal Link:
None

The following test results in UB:

(function() {
    pipeline = [{$project: {x: { $subtract: [new Date('2019-04-23T00:05:48.829Z'), Infinity] }}}];
 
    db.adminCommand( { setParameter: 1, traceExceptions: true } )
 
    try {
        const res = db.c.aggregate(pipeline).toArray();
        print("Result was " + tojson(res));
    } catch(e) {
        print("Error was " + tojson(e));
    }
})();

The $subtract is performed with [<some date>, Infinity]. This causes this conversion to long long. This cast is UB when the truncated double is a value that can't fit in a long long (such as Infinity).

We may want to change the implementation of Value::coerceToLong() and audit existing calls to it in case there are similar bugs.

Assignee:: Ted Tuckman
Reporter:: Ian Boros
Participants:: Asya Kamsky, Githook User, Ian Boros, Ted Tuckman
Votes:: 0 Vote for this issue
Watchers:: 7 Start watching this issue

Created:: Apr 26 2019 10:34:22 PM UTC
Updated:: Oct 29 2023 10:21:35 PM UTC
Resolved:: Jun 11 2019 07:59:21 PM UTC
Confidence Status Last Update:: 07/Jun/19 1:08 PM

Details

Description

Attachments

Activity

People

Dates