[CDRIVER-2595] Coverity analysis defect 101170: Integer overflow Created: 05/Apr/18  Updated: 28/Oct/23  Resolved: 13/Apr/18

Status: Closed
Project: C Driver
Component/s: None
Affects Version/s: None
Fix Version/s: 1.10.0

Type: Bug Priority: Major - P3
Reporter: Coverity Collector User Assignee: A. Jesse Jiryu Davis
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

An integer overflow occurs, with the overflowed value used in a sensitive operation

Defect 101170 (STATIC_C)
Checker INTEGER_OVERFLOW (subcategory none)
File: /src/bson/bson-string.c
Function bson_vsnprintf
/src/bson/bson-string.c, line: 622
Subtract operation overflows on operands "size" and "1UL", whose values are unsigned constants, 0 and 1, respectively.

       str[size - 1] = '\0';

File: /src/bson/bson-string.c
Function bson_vsnprintf
/src/bson/bson-string.c, line: 622
Subtract operation overflows on operands "size" and "1UL".

       str[size - 1] = '\0';

/src/bson/bson-string.c, line: 622
Overflowed or truncated value (or a value computed from an overflowed or truncated value) "str + (size - 1UL)" dereferenced.

       str[size - 1] = '\0';



 Comments   
Comment by Githook User [ 13/Apr/18 ]

Author:

{'email': 'jesse@mongodb.com', 'name': 'A. Jesse Jiryu Davis', 'username': 'ajdavis'}

Message: CDRIVER-2595 buffer underflow in bson_snprintf

Calling bson_snprintf with size 0 would write one byte before the start
of the destination string.
Branch: master
https://github.com/mongodb/mongo-c-driver/commit/9f6365d32272f86cffd1bc0cb1fd0a27eac3c7b8

Generated at Wed Feb 07 21:15:43 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.