[SERVER-55054] Unchecked boost::optional usage in DocumentSourceInternalSetWindowFields Created: 09/Mar/21  Updated: 29/Oct/23  Resolved: 09/Mar/21

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 4.9.0

Type: Bug Priority: Major - P3
Reporter: Justin Seyster Assignee: Nicholas Zolnierz
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
Backwards Compatibility: Fully Compatible
Operating System: ALL
Steps To Reproduce:

Execute an aggregation pipeline with $setWindowFields on an empty collection.

Participants:
Linked BF Score: 66

 Description   

This line in DocumentSourceInternalSetWindowFields::doGetNext() calls the [] overload on a PartitionIterator but then calls the get() method on the resulting optional without checking if it is boost::none. The [] overload can return boost::none, however, resulting in access to uninitialized memory and potential crashes.

The simplest case I found where this happens is when there are no input documents to the $setWindowFields stage.



 Comments   
Comment by Githook User [ 09/Mar/21 ]

Author:

{'name': 'Nick Zolnierz', 'email': 'nicholas.zolnierz@mongodb.com', 'username': 'nzolnierzmdb'}

Message: SERVER-55054 Handle zero input documents in $setWindowFields stage
Branch: master
https://github.com/mongodb/mongo/commit/3e4f8585dea5f0c29509643a72664aa30ef4d149

Generated at Thu Feb 08 05:35:19 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.