Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-6186

$substr expression does not check arguments, can trigger an out_of_range exception causing mongod to abort

XMLWordPrintableJSON

    • ALL

      Observed behavior: The $substr expression implementation directly calls c++'s string::substr with numeric arguments supplied to it. If the pos argument is greater than the size of the string, string::substr will throw an out_of_range exception and the mongod process will abort.
      Expected behavior: The $substr expression validates its arguments and returns an empty string or uasserts in this case.

      Test:

      c = db.c;
c.drop();

c.save( {} );

printjson( c.aggregate( { $project:{ a:{ $substr:[ 'a', 2, 1 ] } } } ) );

      Log:

      Fri Jun 22 17:32:47 [conn1] ERROR: Uncaught std::exception: basic_string::substr, terminating
Fri Jun 22 17:32:47 dbexit: 
Fri Jun 22 17:32:47 [conn1] shutdown: going to close listening sockets...
Fri Jun 22 17:32:47 [conn1] closing listening socket: 6
Fri Jun 22 17:32:47 [conn1] closing listening socket: 7
Fri Jun 22 17:32:47 [initandlisten] now exiting
Fri Jun 22 17:32:47 dbexit: ; exiting immediately

            Assignee:
            aaron Aaron Staple
            Reporter:
            aaron Aaron Staple
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Created:
              Updated:
              Resolved: