[SERVER-20319] Crash on manipulating MinKey and MaxKey's singleton Created: 08/Sep/15  Updated: 07/Oct/15  Resolved: 18/Sep/15

Status: Closed
Project: Core Server
Component/s: JavaScript
Affects Version/s: 3.1.7
Fix Version/s: 3.1.9

Type: Bug Priority: Major - P3
Reporter: Spencer Jackson Assignee: Mira Carey
Resolution: Done Votes: 0
Labels: spidermonkey
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Backwards Compatibility: Fully Compatible
Operating System: ALL
Steps To Reproduce:

Run

db.eval("MinKey().__proto__.singleton = 1000; MinKey()")

Sprint: Platform 9 (09/18/15)
Participants:

 Description   

It appears that the use of JS::RootedValue::toObjectOrNull can have unpredictable results when the value in question is not an object. MinKeyInfo::call and MaxKeyInfo::call use this function on a value in the prototype without checking the types. If the user has altered the value on the prototype, the system may fail with a stacktrace.



 Comments   
Comment by Githook User [ 18/Sep/15 ]

Author:

{u'username': u'hanumantmk', u'name': u'Jason Carey', u'email': u'jcarey@argv.me'}

Message: SERVER-20319 Min/MaxKey check type of singleton

Verify that the type of the Min/MaxKey singleton is actually a
Min/MaxKey before returning it in call/ctor context.
Branch: master
https://github.com/mongodb/mongo/commit/ed05a141a8ff70422d6b7a84e877f8318ea35624

Generated at Thu Feb 08 03:53:51 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.