Details
-
Improvement
-
Resolution: Fixed
-
Major - P3
-
None
-
None
-
None
-
Fully Compatible
-
Execution Team 2019-10-21, Execution Team 2019-11-04
Description
The copy() function for BSONObj could detect corrupt BSON and detect undefined behavior earlier for two reasons:
- There is no verification that objsize() is below the maximum BSON size. An attempt to allocate a new buffer based on the size of an unowned BSON object can lead to very large allocations.
- By making 2 calls to objsize(), the copy function may allocate a different amount of memory than it writes if the underlying buffer is unowned. This should also be fixed to prevent the possibility of undefined behavior.