[SERVER-33078] convertToCapped size is not checked for float -> long long overflow Created: 02/Feb/18 Updated: 29/Oct/23 Resolved: 04/Jun/18 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Storage |
| Affects Version/s: | None |
| Fix Version/s: | 3.6.6, 4.0.0-rc5, 4.1.1 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Daniel Gottlieb (Inactive) | Assignee: | Dianna Hohensee (Inactive) |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | neweng, nyc, rbfz | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||||||||||
| Operating System: | ALL | ||||||||||||||||
| Backport Requested: |
v4.0, v3.6
|
||||||||||||||||
| Sprint: | Storage NYC 2018-05-21, Storage NYC 2018-06-04 | ||||||||||||||||
| Participants: | |||||||||||||||||
| Linked BF Score: | 46 | ||||||||||||||||
| Description |
|
convertToCapped parses the size field as a number. This double is later assigned to a long long. Normally the validation will fail, bubbling up to the user, when the collection options (now a BSON object) gets parsed into another CollectionOptions for creating the collection. But a pedantic compiler may generate a binary that catches something going wrong earlier (at the assignment itself). |
| Comments |
| Comment by Githook User [ 08/Jun/18 ] |
|
Author: {'username': 'DiannaHohensee', 'name': 'Dianna Hohensee', 'email': 'dianna.hohensee@10gen.com'}Message: (cherry picked from commit f527188c4dab4bf2a3ce0e31406dbd121c3a90ca) |
| Comment by Githook User [ 08/Jun/18 ] |
|
Author: {'username': 'DiannaHohensee', 'name': 'Dianna Hohensee', 'email': 'dianna.hohensee@10gen.com'}Message: Combining two backports because the second has a test fix for the first.
(cherry picked from commit f527188c4dab4bf2a3ce0e31406dbd121c3a90ca)
(cherry picked from commit 5377292873f5b203c401384567457b2987502528) |
| Comment by Githook User [ 04/Jun/18 ] |
|
Author: {'username': 'DiannaHohensee', 'name': 'Dianna Hohensee', 'email': 'dianna.hohensee@10gen.com'}Message: |