RUST-2241 Convert panic from malformed input to error (#568)

abr-egn · web-flow · commit 543bad8e0a95 · 2025-07-03T14:50:59.000-04:00
diff --git a/serde-tests/test.rs b/serde-tests/test.rs
@@ -21,6 +21,7 @@ use bson::{
     cstr,
     doc,
     oid::ObjectId,
+    serde_helpers::Utf8LossyDeserialization,
     spec::BinarySubtype,
     Binary,
     Bson,
@@ -1330,3 +1331,10 @@ fn invalid_length() {
     // This is a regression test for fuzzer-generated input (RUST-1240).
     assert!(bson::deserialize_from_slice::<Document>(&[4, 0, 0, 128, 0, 87]).is_err());
 }
+
+#[test]
+fn code_with_scope_too_long() {
+    // This is a regression test for fuzzer-generated input (RUST-2241).
+    let bytes = base64::decode("KAAAAAsBCRwPAAAACwFAAAAEAA8AEAAAAAYAAAAA9wD5/wAABgALAA==").unwrap();
+    assert!(bson::deserialize_from_slice::<Utf8LossyDeserialization<Document>>(&bytes).is_err());
+}
diff --git a/src/raw/iter.rs b/src/raw/iter.rs
@@ -289,6 +289,9 @@ impl<'a> RawElement<'a> {
                 let slice = self.slice();
                 let code = String::from_utf8_lossy(read_lenencode_bytes(&slice[4..])?).into_owned();
                 let scope_start = 4 + 4 + code.len() + 1;
+                if scope_start >= slice.len() {
+                    return Err(self.malformed_error("code with scope length overrun"));
+                }
                 let scope = RawDocument::decode_from_bytes(&slice[scope_start..])?;
 
                 Utf8LossyBson::JavaScriptCodeWithScope(Utf8LossyJavaScriptCodeWithScope {
