34 lines
1.5 KiB
Diff
34 lines
1.5 KiB
Diff
Backported upstream commit https://github.com/mongodb/mongo-python-driver/commit/56b6b6dbc267d365d97c037082369dabf37405d2
|
|
Fixed CVE-2024-5629
|
|
diff -ur mongo-python-driver-3.7.0/bson/_cbsonmodule.c mongo_patch/bson/_cbsonmodule.c
|
|
--- mongo-python-driver-3.7.0/bson/_cbsonmodule.c 2018-06-26 18:08:42.000000000 +0000
|
|
+++ mongo_patch/bson/_cbsonmodule.c 2025-04-06 07:06:48.259986820 +0000
|
|
@@ -2280,6 +2280,7 @@
|
|
uint32_t c_w_s_size;
|
|
uint32_t code_size;
|
|
uint32_t scope_size;
|
|
+ uint32_t len;
|
|
PyObject* code;
|
|
PyObject* scope;
|
|
PyObject* code_type;
|
|
@@ -2299,7 +2300,8 @@
|
|
memcpy(&code_size, buffer + *position, 4);
|
|
code_size = BSON_UINT32_FROM_LE(code_size);
|
|
/* code_w_scope length + code length + code + scope length */
|
|
- if (!code_size || max < code_size || max < 4 + 4 + code_size + 4) {
|
|
+ len = 4 + 4 + code_size + 4;
|
|
+ if (!code_size || max < code_size || max < len || len < code_size) {
|
|
goto invalid;
|
|
}
|
|
*position += 4;
|
|
@@ -2322,7 +2324,8 @@
|
|
goto invalid;
|
|
}
|
|
/* code length + code + scope length + scope */
|
|
- if ((4 + code_size + 4 + scope_size) != c_w_s_size) {
|
|
+ len = 4 + 4 + code_size + scope_size;
|
|
+ if (scope_size < BSON_MIN_SIZE || len != c_w_s_size || len < scope_size) {
|
|
Py_DECREF(code);
|
|
goto invalid;
|
|
}
|