Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-6186

$substr expression does not check arguments, can trigger an out_of_range exception causing mongod to abort

    XMLWordPrintableJSON

Details

    • ALL

    Description

      Observed behavior: The $substr expression implementation directly calls c++'s string::substr with numeric arguments supplied to it. If the pos argument is greater than the size of the string, string::substr will throw an out_of_range exception and the mongod process will abort.
      Expected behavior: The $substr expression validates its arguments and returns an empty string or uasserts in this case.

      Test:

      c = db.c;
      c.drop();
       
      c.save( {} );
       
      printjson( c.aggregate( { $project:{ a:{ $substr:[ 'a', 2, 1 ] } } } ) );

      Log:

      Fri Jun 22 17:32:47 [conn1] ERROR: Uncaught std::exception: basic_string::substr, terminating
      Fri Jun 22 17:32:47 dbexit: 
      Fri Jun 22 17:32:47 [conn1] shutdown: going to close listening sockets...
      Fri Jun 22 17:32:47 [conn1] closing listening socket: 6
      Fri Jun 22 17:32:47 [conn1] closing listening socket: 7
      Fri Jun 22 17:32:47 [initandlisten] now exiting
      Fri Jun 22 17:32:47 dbexit: ; exiting immediately

      Attachments

        Activity

          People

            aaron Aaron Staple
            aaron Aaron Staple
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: