[SERVER-56516] Fix undefined behaviour in parsing code for $slice projectional operator Created: 30/Apr/21  Updated: 29/Oct/23  Resolved: 11/Jun/21

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 4.4.7, 5.0.0-rc2, 4.2.16, 4.0.27

Type: Bug Priority: Major - P3
Reporter: Nikita Lapkov (Inactive) Assignee: Nikita Lapkov (Inactive)
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Depends
Related
related to SERVER-26148 Commands should convert integers from... Backlog
Backwards Compatibility: Fully Compatible
Operating System: ALL
Backport Requested:
v5.0, v4.4, v4.2, v4.0
Sprint: Query Execution 2021-05-03, Query Execution 2021-05-17, Query Execution 2021-05-31, Query Execution 2021-06-14, Query Execution 2021-06-28
Participants:
Linked BF Score: 128

 Description   

attemptToParseFindSlice uses BSONElement::numberInt to extract $slice value from BSON here. If BSONElement contains double NaN, +inf or -inf values, this method still converts it to int type here. This is undefined behaviour and is caught by UBSAN.



 Comments   
Comment by Githook User [ 19/Jul/21 ]

Author:

{'name': 'Nikita Lapkov', 'email': 'nikita.lapkov@mongodb.com', 'username': 'laplab'}

Message: SERVER-56516 Fix undefined behaviour in $slice arguments parsing

(partially cherry picked from commit 19764c1864c1c57d9274238146e6843591bc6ce6)
Branch: v4.0
https://github.com/mongodb/mongo/commit/5d763763db2fcd9b2799faa7e1ef246df3c325a9

Comment by Githook User [ 09/Jul/21 ]

Author:

{'name': 'Nikita Lapkov', 'email': 'nikita.lapkov@mongodb.com', 'username': 'laplab'}

Message: SERVER-56516 Fix undefined behaviour in $slice arguments parsing
Branch: v4.2
https://github.com/mongodb/mongo/commit/729f6320ad56a7daf16fa06f6a655016e43a75e8

Comment by Githook User [ 11/Jun/21 ]

Author:

{'name': 'Nikita Lapkov', 'email': 'nikita.lapkov@mongodb.com', 'username': 'laplab'}

Message: SERVER-56516 Fix undefined behaviour in $slice arguments parsing

(cherry picked from commit 84ef6e51778fc42a39c85cf5a7a1e776ab94d1a7)
Branch: v5.0
https://github.com/mongodb/mongo/commit/e5d16c96efeab3868aa9bac98d5371b87936b4ac

Comment by Githook User [ 11/Jun/21 ]

Author:

{'name': 'Nikita Lapkov', 'email': 'nikita.lapkov@mongodb.com', 'username': 'laplab'}

Message: SERVER-56516 Fix undefined behaviour in $slice arguments parsing
Branch: master
https://github.com/mongodb/mongo/commit/8e9a4ff28dbf9bd50455aa99b7986e030f9d5923

Comment by Githook User [ 11/Jun/21 ]

Author:

{'name': 'Nikita Lapkov', 'email': 'nikita.lapkov@mongodb.com', 'username': 'laplab'}

Message: SERVER-56516 Fix undefined behaviour in $slice arguments parsing

(cherry picked from commit 84ef6e51778fc42a39c85cf5a7a1e776ab94d1a7)
Branch: v4.4
https://github.com/mongodb/mongo/commit/cbe262bb3d99708c5e59bf3c9a32c7e15ce78fe6

Generated at Thu Feb 08 05:39:28 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.