Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-4609

StringBuilder signed integer max buffer size spec is too low, can cause allocated memory buffer overflow upon call to BSONObj::toString()

    • Type: Icon: Bug Bug
    • Resolution: Done
    • Priority: Icon: Major - P3 Major - P3
    • 2.0.6, 2.1.0
    • Affects Version/s: None
    • Component/s: Stability
    • None
    • ALL

      StringBuilder& operator<<( int x )

      { return SBNUM( x , 11 , "%d" ); }

      One of the longest signed integers is -2147483648, which is 11 bytes to print. And sprintf will add a null byte as a terminator, so 12 total bytes need to be allocated.

      I'd recommend checking the other max sizes passed to SBNUM and also switching to snprintf and checking its return value to ensure the 'n' limit isn't exceeded at runtime.

            Assignee:
            milkie@mongodb.com Eric Milkie
            Reporter:
            aaron Aaron Staple
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: