packages/python-pymongo
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
python-pymongo/backport-CVE-2024-21506.patch
liweigang 42683a1e91 Fix CVE-2024-21506 
Signed-off-by: liweigang <liweiganga@uniontech.com>
(cherry picked from commit 436bc9cc04089a0ec53924ce5e50754e8ed39d6c)
2024-04-07 16:48:19 +08:00

48 lines
2.0 KiB
Diff
Raw Permalink Blame History

From 56b6b6dbc267d365d97c037082369dabf37405d2 Mon Sep 17 00:00:00 2001
From: Shane Harvey <shnhrv@gmail.com>
Date: Wed, 27 Mar 2024 16:51:23 -0700
Subject: [PATCH] PYTHON-4305 Fix bson size check (#1564)
(cherry picked from commit 372b5d68d5a57ccc43b33407cd23f0bc79d99283)
---
bson/_cbsonmodule.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
diff --git a/bson/_cbsonmodule.c b/bson/_cbsonmodule.c
index 4e1881a275..da86cd8133 100644
--- a/bson/_cbsonmodule.c
+++ b/bson/_cbsonmodule.c
@@ -2405,6 +2405,7 @@ static PyObject* get_value(PyObject* self, PyObject* name, const char* buffer,
uint32_t c_w_s_size;
uint32_t code_size;
uint32_t scope_size;
+ uint32_t len;
PyObject* code;
PyObject* scope;
PyObject* code_type;
@@ -2424,7 +2425,8 @@ static PyObject* get_value(PyObject* self, PyObject* name, const char* buffer,
memcpy(&code_size, buffer + *position, 4);
code_size = BSON_UINT32_FROM_LE(code_size);
/* code_w_scope length + code length + code + scope length */
- if (!code_size || max < code_size || max < 4 + 4 + code_size + 4) {
+ len = 4 + 4 + code_size + 4;
+ if (!code_size || max < code_size || max < len || len < code_size) {
goto invalid;
}
*position += 4;
@@ -2442,12 +2444,9 @@ static PyObject* get_value(PyObject* self, PyObject* name, const char* buffer,
memcpy(&scope_size, buffer + *position, 4);
scope_size = BSON_UINT32_FROM_LE(scope_size);
- if (scope_size < BSON_MIN_SIZE) {
- Py_DECREF(code);
- goto invalid;
- }
/* code length + code + scope length + scope */
- if ((4 + code_size + 4 + scope_size) != c_w_s_size) {
+ len = 4 + 4 + code_size + scope_size;
+ if (scope_size < BSON_MIN_SIZE || len != c_w_s_size || len < scope_size) {
Py_DECREF(code);
goto invalid;
}
Reference in New Issue View Git Blame Copy Permalink