[CDRIVER-2598] Coverity analysis defect 43915: Out-of-bounds read Created: 05/Apr/18  Updated: 27/Oct/23  Resolved: 15/Apr/18

Status: Closed
Project: C Driver
Component/s: None
Affects Version/s: None
Fix Version/s: 1.10.0

Type: Bug Priority: Major - P3
Reporter: Coverity Collector User Assignee: A. Jesse Jiryu Davis
Resolution: Works as Designed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

Out-of-bounds read from a buffer

Defect 43915 (STATIC_C)
Checker OVERRUN (subcategory read)
File: /src/bson/bson-timegm.c
Function timesub
/src/bson/bson-timegm.c, line: 349
Checking "i == 0L" implies that "i" is 0 on the true branch.

                hit = ((i == 0 && lp->ls_corr > 0) ||

/src/bson/bson-timegm.c, line: 349
Underrunning array "sp->lsis" at element index -1 (byte offset -16) using index "i - 1L" (which evaluates to -1).

                hit = ((i == 0 && lp->ls_corr > 0) ||



 Comments   
Comment by A. Jesse Jiryu Davis [ 15/Apr/18 ]

In bson-timegm.c we've vendored in some intricate clockwork to convert struct tm to a UNIX timestamp, which we use when parsing ISO 8601 datetimes from Javascript and converting them to BSON datetimes.

Coverity has noticed that a particular routine, timesub, loops over an integer i, decrementing i with each loop, and it reads from a buffer at position i - 1, which seems like it could be equal to -1 in some scenarios. Coverity can't determine for certain whether this is a bug in our vendored code, and neither can I. What I can say for certain is that, due to how libbson uses timesub, i's starting position is always zero, so the loop in which i is used never actually executes.

Generated at Wed Feb 07 21:15:44 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.