-
Type: Bug
-
Resolution: Fixed
-
Priority: Major - P3
-
Affects Version/s: 1.9.0
-
Component/s: None
-
None
When analysing PHPC-1067 I found an off-by-one error in bson_append_regex.
The calculation for the number of required bytes is off by one, since https://github.com/mongodb/libbson/commit/f9c179bb#diff-834e3eef392f29fc84e766ec869ff972L1533
The annotated calculation is:
r = _bson_append (bson, 5, // Number of data elements to add (1 + key_length + 1 + regex_len + options_sorted->len), // bytes to add 1, // length of first element (BSON type, int8) &type, // the BSON type key_length, // the length of the field name key, // the field name (not 0-termined) 1, // the length of the ending 0 byte &gZero, // the null 0 byte regex_len, // the length of the regular expression (including 0 byte) regex, // the regular expression with 0 byte options_sorted->len + 1, // the length of the sorted options, with 0 byte options_sorted->str); // the sorted options, with 0 byte
If you compare (1 + key_length + 1 + regex_len + options_sorted->len) with the sum of all the length, you see it's missing 1 (the extra null of the options_sorted->len).
This can cause a out-of-bound write.
- is depended on by
-
PHPC-1067 BSON document produces driver segfault
- Closed
- related to
-
CDRIVER-4421 Heap-Buffer-Overflow Bug Report, Fuzzing suggestion
- Closed