Loading...

XML

Word

Printable

JSON

Type: Bug
Resolution: Unresolved
Priority: Minor - P4
Fix Version/s: None
Affects Version/s: 2.6.0-rc0
Component/s: Aggregation Framework
Labels:

Assigned Teams:

Query Optimization
Operating System:
ALL
Linked BF Score:
0

If 'batchSize' argument in cursor exceeds some value, it overflows, being considered negative.

> use foo
switched to db foo
> var bigArray = [];
> for (var i = 0; i < 1000; ++i) { bigArray.push(i); }
1000
> var bigStr = Array(1001).toString();
> for (var i = 0; i < 100; ++i) { db.goo.insert({_id: i, bigArray: bigArray, bigStr: bigStr})};
WriteResult({ "nInserted" : 1 })
> var cursor = db.runCommand({aggregate: "goo", pipeline: [{$unwind:'$bigArray'}], cursor : {batchSize : Math.pow(2, 63)}})
> cursor
{
	"errmsg" : "exception: Cursor batchSize must not be negative",
	"code" : 16957,
	"ok" : 0
}
> var cursor = db.runCommand({aggregate: "goo", pipeline: [{$unwind:'$bigArray'}], cursor : {batchSize : Math.pow(2, 62)}})
> cursor
{
	"cursor" : {
		"id" : NumberLong(0),
		"ns" : "test.goo",
		"firstBatch" : [ ..... ] 
	},
	"ok" : 1
}

> print(Math.pow(2, 63))
9223372036854776000

is related to

SERVER-26148 Commands should convert integers from user input safely

Backlog

SERVER-12814 Aggregation: cursor batchSize NaN is considered a negative number

Backlog

SERVER-25188 Add non-debug UBSan variant for jstestfuzz tasks

Closed

related to

SERVER-35596 "max" field of the createCollection command should be sanitized prior to being interpreted as a long long

Closed

Assignee:: [DO NOT USE] Backlog - Query Optimization

Reporter:: Davide Italiano

Participants:: [DO NOT USE] Backlog - Query Optimization, Charlie Swanson, Davide Italiano, Max Hirschhorn, Steve Tarzia

Votes:: 0 Vote for this issue

Watchers:: 11 Start watching this issue

Created:: Feb 21 2014 02:10:23 AM UTC

Updated:: Jan 08 2024 03:23:07 PM UTC

Details

Description

Attachments

Issue Links

Activity

People

Dates