[DRIVERS-2651] Add decimal128 clamped zeros tests with very large exponents Created: 20/May/23  Updated: 28/Oct/23  Resolved: 04/Jul/23

Status: Closed
Project: Drivers
Component/s: Decimal128
Fix Version/s: None

Type: Improvement Priority: Unknown
Reporter: Matt Dale Assignee: Matt Dale
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Issue split
split to PHPC-2259 Sync BSON corpus tests for Decimal128... Closed
Related
related to CDRIVER-4662 Possible overflow parsing Decimal128 ... Closed
is related to NODE-3835 Incorrect Decimal128.fromString() for... Backlog
is related to GODRIVER-1519 Extended JSON use of math.BigInt can ... Closed
is related to NODE-5047 node.js driver Decimal128 fromString ... Closed
Driver Changes: Not Needed
Driver Compliance:
Key Status/Resolution FixVersion
PHPC-2259 Fixed 1.17.0

 Description   

Summary

The Go driver recently fixed a bug that could cause an effectively infinite loop when parsing decimal128 Extended JSON values that contain extremely large positive or negative integers (see GODRIVER-1519). We should add tests to the BSON corpus that check for similar bugs in other drivers.

Motivation

Who is the affected end user?

Customers who want to parse decimal128 values from Extended JSON strings or other strings.

How does this affect the end user?

The parser may hang indefinitely or behave unexpectedly when clamping certain values with very large positive or negative exponents.

How likely is it that this problem or use case will occur?

The problem only occurs when parsing specific strings as decimal128. Examples include:

  • "0E999999999999"
  • "0E-999999999999"

An Extended JSON marshaler that passes the BSON test corpus should never generate the problematic strings, so the problem is only likely to happen if a customer uses the string-to-decimal128 parser to parse user-provided input.

If the problem does occur, what are the consequences and how severe are they?

The customer's application could hang. If the customer's application parses user-provided input, it could expose the customer to a denial-of-service attack.

Is this issue urgent?

No.

Is this ticket required by a downstream team?

No.

Is this ticket only for tests?

Yes.

Acceptance Criteria

  • Add decimal128 Extended JSON parse tests for clamped zeros with very large exponents.


 Comments   
Comment by Tom Selander [ 05/Jul/23 ]

SGTM

Comment by Matt Dale [ 04/Jul/23 ]

james.kovacs@mongodb.com tom.selander@mongodb.com closing this ticket and letting drivers pick up the new test case the next time they sync the BSON corpus sounds reasonable. I've merged the spec test change, so I'm moving this ticket to resolved.

Comment by Githook User [ 04/Jul/23 ]

Author:

{'name': 'Matt Dale', 'email': '9760375+matthewdale@users.noreply.github.com', 'username': 'matthewdale'}

Message: DRIVERS-2651 Add decimal128 clamped zeros tests with very large exponents. (#1432)
Branch: master
https://github.com/mongodb/specifications/commit/c09f979ad296400552a98c9b784197ec648c2096

Comment by Tom Selander [ 13/Jun/23 ]

matt.dale@mongodb.com can you take a look at the BSON corpus to doublecheck that the existing guidance that is there is in alignment with the clarification that you are proposing above. Let us know what you find and if you can make a recommendation, we'll revisit this DRIVERS ticket.

Generated at Thu Feb 08 08:26:06 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.