Uploaded image for project: 'WiredTiger'
  1. WiredTiger
  2. WT-11252

Overrun in __wt_modify_apply_item() when value_format=='S' and value->size==0

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • WT11.2.0, 7.1.0-rc0
    • Affects Version/s: None
    • Component/s: None
    • 2023-07-25 Absolute unit
    • 5

      From SERVER-78538:

      Coverity Message

      Out-of-bounds access
      Access of memory not owned by this buffer may cause crashes or incorrect computations. Out-of-bounds access to a buffer
      /src/third_party/wiredtiger/src/support/modify.c:392: OVERRUN 123461 Decrementing "value->size". The value of "value->size" is now 18446744073709551615.

      The issue here is that if __wt_modify_apply_item() is called with value_format='S' and value->size==0 there is a potential for underflow on the unsigned value->size which will then create a potential buffer overrun.

            Assignee:
            chenhao.qu@mongodb.com Chenhao Qu
            Reporter:
            marc.butler@mongodb.com Marc Butler (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: