[SERVER-3991] Indexing past the end of a string in mongo shell Created: 01/Oct/11  Updated: 11/Jul/16  Resolved: 15/Oct/11

Status: Closed
Project: Core Server
Component/s: Shell
Affects Version/s: 2.0.0
Fix Version/s: 2.1.0

Type: Bug Priority: Major - P3
Reporter: Tad Marshall Assignee: Eliot Horowitz (Inactive)
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Any


Operating System: ALL
Participants:

 Description   

In the mongo shell's dbshell.cpp file, the routine isBalanced() tries to figure out if you have finished typing. It checks to see if parentheses and braces are balanced and whether you might not be finished typing a long quoted string. The checking for balanced "()" and "{}" uses counters, but for apostrophes ("single quotes") and double quotes it uses a different method and fast forwards through the string looking for the matching element. This is a problem, because after this code breaks out of its switch statement there is a bit more code that assumes that the index variable is still in range. It isn't; the fast forward algorithm has set the index 'i' to code.size() and the expression 'code[i]' indexes off the end of the string.
To see this, run the debug build of the mongo shell in Windows, type the single character "'" and press return. You get a debug assertion from the runtime. I'm not quite sure why non-debug builds sail past this error, but the algorithm needs some fine tuning to keep string referencing in bounds.



 Comments   
Comment by auto [ 15/Oct/11 ]

Author:

{u'login': u'erh', u'name': u'Eliot', u'email': u'eliot@10gen.com'}

Message: Merge pull request #116 from tadmarshall/SERVER-3991-reissue

SERVER-3991 (reissue) – don't index past end of string
Branch: master
https://github.com/mongodb/mongo/commit/795c7023663347cd78771bed749795e69ecd7213

Comment by auto [ 15/Oct/11 ]

Author:

{u'login': u'erh', u'name': u'Eliot', u'email': u'eliot@10gen.com'}

Message: Merge pull request #116 from tadmarshall/SERVER-3991-reissue

SERVER-3991 (reissue) – don't index past end of string
Branch: master
https://github.com/mongodb/mongo/commit/795c7023663347cd78771bed749795e69ecd7213

Comment by Tad Marshall [ 13/Oct/11 ]

I closed pull request 98 and opened https://github.com/mongodb/mongo/pull/116 to replace it.
Same code, but without the unrelated commits.

Comment by Tad Marshall [ 06/Oct/11 ]

Pull request https://github.com/mongodb/mongo/pull/98 addresses this.

Comment by Tad Marshall [ 01/Oct/11 ]

The reason that non-debug builds do not show any problem is that the [] operator does not check index bounds and all implementations of std::string store the string null-terminated. So, this code will always fetch a zero when it indexes off the "end" of the string by one character, and no real harm is done. Fixing this is mostly worthwhile so that developers testing debug builds don't see assertion failures that are unrelated to whatever they are working on. The "Major" priority I assigned to this bug may not be the correct one; customers will not see this bug.

Generated at Thu Feb 08 03:04:38 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.