[SERVER-37183] BSONElement::safeNumberLong is not safe Created: 18/Sep/18 Updated: 29/Oct/23 Resolved: 13/Dec/18 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Internal Code |
| Affects Version/s: | None |
| Fix Version/s: | 4.0.7, 4.1.7 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Martin Neupauer | Assignee: | Backlog - Query Team (Inactive) |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||||||
| Assigned Teams: |
Query
|
||||||||||||||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||||||||||||||
| Operating System: | ALL | ||||||||||||||||||||
| Backport Requested: |
v4.0
|
||||||||||||||||||||
| Participants: | |||||||||||||||||||||
| Linked BF Score: | 61 | ||||||||||||||||||||
| Description |
|
BSONElement::safeNumberLong is not as safe as it may seem. Consider the following simple program:
I.e. there exist a double value that is greater than the long long max and yet is fails to be clamped by safeNumberLong.
Please note that safeNumberLong is called as part of the hash index processing. It means that we may have computed and stored wrong hash values to disk. If safeNumberLong gets fixed it may start generating different hash values leading to incorrect query results. |
| Comments |
| Comment by Githook User [ 20/Feb/19 ] |
|
Author: {'name': 'Justin Seyster', 'username': 'jseyster', 'email': 'justin.seyster@mongodb.com'}Message: (cherry picked from commit 1582fb6cce63c8e5691a14f8de2db4b3fbe42873) |
| Comment by Githook User [ 07/Dec/18 ] |
|
Author: {'name': 'Justin Seyster', 'email': 'justin.seyster@mongodb.com', 'username': 'jseyster'}Message: |
| Comment by Justin Seyster [ 03/Nov/18 ] |
|
I've made progress on this, but it needs some more time before it's ready for code review. I can continue work next BF Friday. I plan to use the kLongLongMaxPlusOneAsDouble bound for the positive overflow check, which is what $convert does. |
| Comment by Ian Whalen (Inactive) [ 11/Oct/18 ] |
|
Assigning to Dave to figure out what is the impact of the linked test failure. |