[SERVER-40869] $subtract with date can cause undefined behavior - MongoDB Jira

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major - P3
Resolution: Fixed
Affects Version/s: 4.0.9, 4.1.10
Fix Version/s: 4.0.11, 4.2.0-rc1, 4.3.1
Component/s: Querying
Labels:
- afz

Backwards Compatibility:
Fully Compatible
Operating System:
ALL
Backport Requested:

v4.2, v4.0, v3.6, v3.4
Linked BF Score:
7

Description

The following test results in UB:

(function() {

    pipeline = [{$project: {x: { $subtract: [new Date('2019-04-23T00:05:48.829Z'), Infinity] }}}];

    db.adminCommand( { setParameter: 1, traceExceptions: true } )

    try {

        const res = db.c.aggregate(pipeline).toArray();

        print("Result was " + tojson(res));

    } catch(e) {

        print("Error was " + tojson(e));

})();

The $subtract is performed with [<some date>, Infinity]. This causes this conversion to long long. This cast is UB when the truncated double is a value that can't fit in a long long (such as Infinity).

We may want to change the implementation of Value::coerceToLong() and audit existing calls to it in case there are similar bugs.

Attachments

Activity

People

Assignee:: Ted Tuckman

Reporter:: Ian Boros

Participants:: Asya Kamsky, Githook User, Ian Boros, Ted Tuckman

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Dates

Created:: Apr 26 2019 10:34:22 PM UTC

Updated:: Feb 07 2020 06:35:58 PM UTC

Resolved:: Jun 11 2019 07:59:21 PM UTC