[SERVER-30720] Integer overflow in SharedBuffer::grow_reallocate Created: 17/Aug/17 Updated: 30/Oct/23 Resolved: 18/Aug/17 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Internal Code |
| Affects Version/s: | None |
| Fix Version/s: | 3.4.11, 3.5.12 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Martin Neupauer | Assignee: | Martin Neupauer |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||
| Operating System: | ALL | ||||||||
| Backport Requested: |
v3.4, v3.2, v3.0
|
||||||||
| Sprint: | Query 2017-08-21, Query 2017-09-11 | ||||||||
| Participants: | |||||||||
| Case: | (copied to CRM) | ||||||||
| Linked BF Score: | 15 | ||||||||
| Description |
|
When the minSize parameter greater than 1 GB is passed to the grow_reallocate function then the while loop inside the function causes integer overflow and loops forever. |
| Comments |
| Comment by Githook User [ 02/Jan/18 ] |
|
Author: {'name': 'Martin Neupauer', 'username': 'MartinNeupauer', 'email': 'martin.neupauer@mongodb.com'}Message: Move the length check before the while loop. (cherry picked from commit 5bdeccdef411b3c8e19c19b2e5190119889eba61) |
| Comment by Githook User [ 18/Aug/17 ] |
|
Author: {'username': 'MartinNeupauer', 'email': 'martin.neupauer@mongodb.com', 'name': 'Martin Neupauer'}Message: Move the length check before the while loop. |