[SERVER-67315] 32 bit integer overflow in DocumentSourceSort::createBoundedSort() call Created: 15/Jun/22 Updated: 29/Oct/23 Resolved: 16/Jun/22 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | None |
| Affects Version/s: | 6.0.0-rc10, 6.1.0-rc0 |
| Fix Version/s: | 6.0.0-rc11, 6.1.0-rc0 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | James Wahlin | Assignee: | James Wahlin |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||||||
| Operating System: | ALL | ||||||||||||
| Backport Requested: |
v6.0
|
||||||||||||
| Steps To Reproduce: | This issue can be reproduced outside of the sanitizer by: Applying the following patch:
|
||||||||||||
| Sprint: | QO 2022-06-27 | ||||||||||||
| Participants: | |||||||||||||
| Linked BF Score: | 177 | ||||||||||||
| Description |
|
Overflow is possible in the following code when a 32 bit integer is multiplied by 1000. This happens in practice when time-series bucket granularity is set to "hours" with a bucket max span seconds value of 2592000 and the bucket unpacking with sort optimization is in play. |
| Comments |
| Comment by Githook User [ 16/Jun/22 ] |
|
Author: {'name': 'James Wahlin', 'email': 'james@mongodb.com', 'username': 'jameswahlin'}Message: (cherry picked from commit c5b3c193d802c5618db349af4efdadbca5e59125) |
| Comment by Githook User [ 16/Jun/22 ] |
|
Author: {'name': 'James Wahlin', 'email': 'james@mongodb.com', 'username': 'jameswahlin'}Message: |