[SERVER-4609] StringBuilder signed integer max buffer size spec is too low, can cause allocated memory buffer overflow upon call to BSONObj::toString() Created: 03/Jan/12  Updated: 11/Jul/16  Resolved: 05/Jan/12

Status: Closed
Project: Core Server
Component/s: Stability
Affects Version/s: None
Fix Version/s: 2.0.6, 2.1.0

Type: Bug Priority: Major - P3
Reporter: Aaron Staple Assignee: Eric Milkie
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
is depended on by SERVER-4192 double free seen after update by id Closed
Duplicate
is duplicated by SERVER-6488 Server crash Closed
is duplicated by SERVER-4249 abort after invalid next size error Closed
Related
related to SERVER-4249 abort after invalid next size error Closed
Operating System: ALL
Participants:

 Description   

StringBuilder& operator<<( int x )

{ return SBNUM( x , 11 , "%d" ); }

One of the longest signed integers is -2147483648, which is 11 bytes to print. And sprintf will add a null byte as a terminator, so 12 total bytes need to be allocated.

I'd recommend checking the other max sizes passed to SBNUM and also switching to snprintf and checking its return value to ensure the 'n' limit isn't exceeded at runtime.



 Comments   
Comment by auto [ 18/May/12 ]

Author:

{u'login': u'milkie', u'name': u'Eric Milkie', u'email': u'milkie@10gen.com'}

Message: SERVER-4609 ensure correct buffer sizes for string representations of numbers
Branch: v2.0
https://github.com/mongodb/mongo/commit/c3d0639c9a6939a279b8ced3d4c210aef1979d2a

Comment by auto [ 04/Jan/12 ]

Author:

{u'login': u'milkie', u'name': u'Eric Milkie', u'email': u'milkie@10gen.com'}

Message: SERVER-4609 ensure correct buffer sizes for string representations of numbers
Branch: master
https://github.com/mongodb/mongo/commit/5577afa6b7da62677dcacc983988144b41f7f308

Generated at Thu Feb 08 03:06:29 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.