-
Type: Bug
-
Resolution: Done
-
Priority: Major - P3
-
Affects Version/s: None
-
Component/s: None
_cbson's get_value doesn't accept a data size parameter, it means that it is very easy to trick _cbson into decoding and thus reading out of range data that can easily crash Python. For example:
python -c 'import bson; bson.decode_all("\x07\x00\x00\x00\x02a\x00\x78\x56\x34\x12")'
If _cbson is compiled/enabled then Python will crash with Segmentation Fault. If _cbson is not enabled I lose speed but get expected:
Traceback (most recent call last):
File "<string>", line 1, in <module>
File "bson/_init_.py", line 404, in decode_all
(doc, data) = _bson_to_dict(data, as_class, tz_aware)
File "bson/_init_.py", line 245, in _bson_to_dict
return (_elements_to_dict(elements, as_class, tz_aware), data[obj_size:])
File "bson/_init_.py", line 233, in _elements_to_dict
(key, value, data) = _element_to_dict(data, as_class, tz_aware)
File "bson/_init_.py", line 225, in _element_to_dict
(element_name, data) = _get_c_string(data[1:])
File "bson/_init_.py", line 75, in _get_c_string
raise InvalidBSON()
bson.errors.InvalidBSON