[SERVER-4609] StringBuilder signed integer max buffer size spec is too low, can cause allocated memory buffer overflow upon call to BSONObj::toString() Created: 03/Jan/12 Updated: 11/Jul/16 Resolved: 05/Jan/12 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Stability |
| Affects Version/s: | None |
| Fix Version/s: | 2.0.6, 2.1.0 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Aaron Staple | Assignee: | Eric Milkie |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||||||||||||||
| Operating System: | ALL | ||||||||||||||||||||||||||||
| Participants: | |||||||||||||||||||||||||||||
| Description |
|
StringBuilder& operator<<( int x ) { return SBNUM( x , 11 , "%d" ); }One of the longest signed integers is -2147483648, which is 11 bytes to print. And sprintf will add a null byte as a terminator, so 12 total bytes need to be allocated. I'd recommend checking the other max sizes passed to SBNUM and also switching to snprintf and checking its return value to ensure the 'n' limit isn't exceeded at runtime. |
| Comments |
| Comment by auto [ 18/May/12 ] |
|
Author: {u'login': u'milkie', u'name': u'Eric Milkie', u'email': u'milkie@10gen.com'}Message: |
| Comment by auto [ 04/Jan/12 ] |
|
Author: {u'login': u'milkie', u'name': u'Eric Milkie', u'email': u'milkie@10gen.com'}Message: |