[SERVER-9893] HexData and BinData constructors do not check for out of range subtype Created: 10/Jun/13  Updated: 11/Jul/16  Resolved: 10/Jul/13

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 2.5.1

Type: Bug Priority: Minor - P4
Reporter: Shaun Verch Assignee: Shaun Verch
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
depends on SERVER-9583 V8 allows BinData() with no arguments Closed
Related
related to SERVER-9583 V8 allows BinData() with no arguments Closed
Operating System: ALL
Steps To Reproduce:

> x = { "x" : HexData(-1,"") }
{ "x" : BinData(-1,"") }
> db.foo.insert(x)
> db.foo.find()
{ "_id" : ObjectId("51b60faec87bbbd9e8cbef2c"), "x" : BinData(255,"") }
> db.foo.find(x)
{ "_id" : ObjectId("51b60faec87bbbd9e8cbef2c"), "x" : BinData(255,"") }
> y = { "y" : HexData(256,"") }
{ "y" : BinData(256,"") }
> db.foo.insert(y)
> db.foo.find()
{ "_id" : ObjectId("51b60faec87bbbd9e8cbef2c"), "x" : BinData(255,"") }
{ "_id" : ObjectId("51b60fd5c87bbbd9e8cbef2d"), "y" : BinData(0,"") }
> db.foo.find(y)
{ "_id" : ObjectId("51b60fd5c87bbbd9e8cbef2d"), "y" : BinData(0,"") }
> db.foo.remove()
> x = { "x" : BinData(-1,"") }
{ "x" : BinData(-1,"") }
> db.foo.insert(x)
> db.foo.find()
{ "_id" : ObjectId("51b6100cc87bbbd9e8cbef2e"), "x" : BinData(255,"") }
> y = { "y" : BinData(256,"") }
{ "y" : BinData(256,"") }
> db.foo.insert(y)
> db.foo.find()
{ "_id" : ObjectId("51b6100cc87bbbd9e8cbef2e"), "x" : BinData(255,"") }
{ "_id" : ObjectId("51b61019c87bbbd9e8cbef2f"), "y" : BinData(0,"") }
>

Participants:

 Description   

The subtype of BinData and HexData is not checked to make sure it is in the range (0-255). Since BSON only has a single byte for the subtype, this does not round trip.



 Comments   
Comment by Tad Marshall [ 10/Jun/13 ]

The SpiderMonkey code checked this: src/mongo/scripting/engine_spidermonkey.cpp lines 941 to 979:

    JSBool _HexData( JSContext * cx , JSObject * obj , uintN argc, jsval *argv, jsval *rval ) {
        try {
            if ( argc != 2 ) {
                JS_ReportError( cx , "HexData needs 2 arguments -- HexData(subtype,hexstring)" );
                return JS_FALSE;
            }
            Convertor c( cx );
            int subtype = static_cast<int>( c.toNumber( argv[ 0 ] ) );
            if ( subtype == 2 ) {
                JS_ReportError( cx , "BinData subtype 2 is deprecated" );
                return JS_FALSE;
            }
            else if ( subtype < 0 || subtype > 255 ) {
                JS_ReportError( cx, "subtype must be between 0 and 255" );
                return JS_FALSE;
            }
            string s( c.toString( argv[1] ) );
            if ( ! testHexString( cx, s ) ) {
                return JS_FALSE;
            }
            size_t len = s.length();
            if ( 0 != ( len % 2 ) ) {
                JS_ReportError( cx, "hexstring must be even length" );
                return JS_FALSE;
            }
            hexToBinData(cx, &c, rval, subtype, s);
        }
        catch ( const AssertionException& e ) {
            if ( ! JS_IsExceptionPending( cx ) ) {
                JS_ReportError( cx, e.what() );
            }
            return JS_FALSE;
        }
        catch ( const std::exception& e ) {
            log() << "unhandled exception: " << e.what() << ", throwing Fatal Assertion" << endl;
            fassertFailed( 16277 );
        }
        return JS_TRUE;
    }

Generated at Thu Feb 08 03:21:45 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.