There are a handful of "basic types" provided by the IDL in basic_types.idl. Among these basic types are safeInt32 and safeInt64, which purport to convert any numerical BSON element (int, long, double, or decimal) into either a 32 bit signed integer or 64 bit signed integer. However, the deserializers for these types just call BSONElement::numberInt() and BSONElement::numberLong(), which do not implement a safe conversion from any double to an integer. In particular, a double which is too large to fit inside a long (or int) will result in undefined behavior.
Any IDL-generated parser will therefore produce UB if provided unsanitized input containing a very large double. There are several uses of safeInt64 and safeInt32 in the code base which may be affected. For instance, the size parameter to the create command looks like it could result in UB if the client specified the value as a very large double.
- related to
-
SERVER-26148 Commands should convert integers from user input safely
- Backlog