[SERVER-24149] Validation of 2dsphereIndexVersion field during ensureIndex may exhibit undefined behavior Created: 16/May/16 Updated: 06/Jun/16 Resolved: 16/May/16 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Index Maintenance |
| Affects Version/s: | None |
| Fix Version/s: | 3.3.8 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Andrew Morrow (Inactive) | Assignee: | Andrew Morrow (Inactive) |
| Resolution: | Done | Votes: | 0 |
| Labels: | undefined-sanitizer | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Backwards Compatibility: | Fully Compatible |
| Operating System: | ALL |
| Steps To Reproduce: | Run jstests/core/geo_s2indexversion1.js under UBSAN |
| Sprint: | Platforms 15 (06/03/16) |
| Participants: |
| Description |
|
The S2AccessMethod::fixSpec method unconditionally extracts the field 2dsphereIndexVersion and then treats it as a number, even though it may contain non-normal values like Inf or Nan, potentially eliciting undefined behavior. The field should be type and bounds checked before being treated as a valid integer. |
| Comments |
| Comment by Githook User [ 16/May/16 ] |
|
Author: {u'username': u'acmorrow', u'name': u'Andrew Morrow', u'email': u'acm@mongodb.com'}Message: |