-
Type: Bug
-
Resolution: Unresolved
-
Priority: Minor - P4
-
None
-
Affects Version/s: 2.6.0-rc0
-
Component/s: Aggregation Framework
-
Query Optimization
-
ALL
-
0
If 'batchSize' argument in cursor exceeds some value, it overflows, being considered negative.
> use foo switched to db foo > var bigArray = []; > for (var i = 0; i < 1000; ++i) { bigArray.push(i); } 1000 > var bigStr = Array(1001).toString(); > for (var i = 0; i < 100; ++i) { db.goo.insert({_id: i, bigArray: bigArray, bigStr: bigStr})}; WriteResult({ "nInserted" : 1 }) > var cursor = db.runCommand({aggregate: "goo", pipeline: [{$unwind:'$bigArray'}], cursor : {batchSize : Math.pow(2, 63)}}) > cursor { "errmsg" : "exception: Cursor batchSize must not be negative", "code" : 16957, "ok" : 0 } > var cursor = db.runCommand({aggregate: "goo", pipeline: [{$unwind:'$bigArray'}], cursor : {batchSize : Math.pow(2, 62)}}) > cursor { "cursor" : { "id" : NumberLong(0), "ns" : "test.goo", "firstBatch" : [ ..... ] }, "ok" : 1 }
> print(Math.pow(2, 63))
9223372036854776000
- is related to
-
SERVER-26148 Commands should convert integers from user input safely
- Backlog
-
SERVER-12814 Aggregation: cursor batchSize NaN is considered a negative number
- Backlog
-
SERVER-25188 Add non-debug UBSan variant for jstestfuzz tasks
- Closed
- related to
-
SERVER-35596 "max" field of the createCollection command should be sanitized prior to being interpreted as a long long
- Closed