Summary

If bson validation ever fails at a byte offset of zero, bson_validate_with_error_and_offset will unexpectedly fail to write anything to its output parameters, which can lead a caller to make decisions based on uninitialized data.

Impact of this bug is limited.

• typically a BSON document with a truncated header would be discovered earlier, like in bson_init_static()
• the output parameters are not particularly sensitive; typically they will feed into a switch() or an error formatter, not an unbounded memory access or control flow change. One exception may be if an app tries to read context surrounding the error by using 'offset' as an array index.

Environment

Applies to any environment where bson_validate_with_error_and_offset() may process input with a corrupted document header.

How to Reproduce

This is a failing test case.

The bson_validate_with_error_and_offset call returns false, as expected, but the err_offset and err will be unchanged from the test's placeholder values.

static void
test_bson_validate_with_error_and_offset (void)
{
   size_t err_offset = 12345;
   bson_error_t err = { 67890 };
   bson_t bson = { 0 };
   ASSERT (!bson_validate_with_error_and_offset (&bson, BSON_VALIDATE_NONE, &err_offset, &err));
   ASSERT (err_offset == 0);
   ASSERT (err.domain != 67890);
}

Additional Background

Noticed this while working on CDRIVER-5721.