From 56b6b6dbc267d365d97c037082369dabf37405d2 Mon Sep 17 00:00:00 2001 From: Shane Harvey Date: Wed, 27 Mar 2024 16:51:23 -0700 Subject: [PATCH] PYTHON-4305 Fix bson size check (#1564) (cherry picked from commit 372b5d68d5a57ccc43b33407cd23f0bc79d99283) --- bson/_cbsonmodule.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/bson/_cbsonmodule.c b/bson/_cbsonmodule.c index 4e1881a275..da86cd8133 100644 --- a/bson/_cbsonmodule.c +++ b/bson/_cbsonmodule.c @@ -2405,6 +2405,7 @@ static PyObject* get_value(PyObject* self, PyObject* name, const char* buffer, uint32_t c_w_s_size; uint32_t code_size; uint32_t scope_size; + uint32_t len; PyObject* code; PyObject* scope; PyObject* code_type; @@ -2424,7 +2425,8 @@ static PyObject* get_value(PyObject* self, PyObject* name, const char* buffer, memcpy(&code_size, buffer + *position, 4); code_size = BSON_UINT32_FROM_LE(code_size); /* code_w_scope length + code length + code + scope length */ - if (!code_size || max < code_size || max < 4 + 4 + code_size + 4) { + len = 4 + 4 + code_size + 4; + if (!code_size || max < code_size || max < len || len < code_size) { goto invalid; } *position += 4; @@ -2442,12 +2444,9 @@ static PyObject* get_value(PyObject* self, PyObject* name, const char* buffer, memcpy(&scope_size, buffer + *position, 4); scope_size = BSON_UINT32_FROM_LE(scope_size); - if (scope_size < BSON_MIN_SIZE) { - Py_DECREF(code); - goto invalid; - } /* code length + code + scope length + scope */ - if ((4 + code_size + 4 + scope_size) != c_w_s_size) { + len = 4 + 4 + code_size + scope_size; + if (scope_size < BSON_MIN_SIZE || len != c_w_s_size || len < scope_size) { Py_DECREF(code); goto invalid; }