Uploaded image for project: 'C Driver'
  1. C Driver
  2. CDRIVER-2401

Handle UTF-8 multibyte NIL in bson_utf8_validate, and UTF-8 validate URI strings before parsing

      Bugs

      Three minor issues if you feed the following PoCs into the "mongoc_uri_new" function.

      This was against:
      https://github.com/mongodb/mongo-c-driver/releases/download/1.8.2/mongo-c-driver-1.8.2.tar.gz

      With ASAN on.

      This is the script I used for testing:
      https://gist.github.com/c0nrad/760fd1d34e39b7ed8f4442c622c90160

      scan_to_unichar

      READ of size 1
      #7 0x000000000041c2ec in scan_to_unichar (terminators=<optimized out>, end=<synthetic pointer>, match=64, str=0x60200000ec50 "\350\003") at src/mongoc/mongoc-uri.c:159
      PoC
      0000000 6f6d 676e 646f 3a62 2f2f 03e8 0000 686c
      0000010 736f 3a74 3732 3130 2f37 6574 7473 723f
      0000020 7065 696c 6163 6573 3d74 6f66 006f
      000002d

      bson_utf8_get_char

      READ of size 1
      #7 0x00000000004763db in bson_utf8_get_char (utf8=utf8@entry=0x60200000ec30 "\372") at src/bson/bson-utf8.c:367
      PoC:
      0000000 6f6d 676e 646f 3a62 2f2f 00fa fa00 686c
      0000010 736f 3a74 3732 3130 2f37 6574 7473 723f
      0000020 7065 696c 6163 6573 3d74 6f66 006f
      000002d

      bson_string_append_unichar

      precondition failed: unichar
      #2 0x0000000000471ed2 in bson_string_append_unichar (string=string@entry=0x60200000ebf0, unichar=<optimized out>) at src/bson/bson-string.c:232
      #3 0x0000000000412529 in mongoc_uri_unescape (escaped_string=escaped_string@entry=0x60200000ec10 "loca01te\332\213\300\200") at src/mongoc/mongoc-uri.c:1683
      #4 0x0000000000412eff in mongoc_uri_do_unescape (str=<synthetic pointer>) at src/mongoc/mongoc-uri.c:76
      #5 mongoc_uri_parse_host (uri=<optimized out>, str=<optimized out>, downcase=<optimized out>) at src/mongoc/mongoc-uri.c:367
      PoC:
      0000000 6f6d 676e 646f 3a62 2f2f 6f6c 6163 3130
      0000010 6574 8bda 80c0 ff00 31ff 6574 8bda 8dc0
      0000020 4063 6573 3d74 6f66 7361 0073
      000002b

            Assignee:
            jesse@mongodb.com A. Jesse Jiryu Davis
            Reporter:
            stuart.larsen@mongodb.com Stuart Larsen (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: