CDRIVER-5734 assert length in bson_value_copy before malloc (#1740)

* add asserts before malloc

* convert lens to size_t

Author: joshbsiegel

src/libbson/src/bson/bson-value.c

@@ -19,6 +19,7 @@
 #include <bson/bson-string.h>
 #include <bson/bson-value.h>
 #include <bson/bson-oid.h>
+#include <bson/bson-cmp.h>
 
 
 void
@@ -35,8 +36,11 @@ bson_value_copy (const bson_value_t *src, /* IN */
       dst->value.v_double = src->value.v_double;
       break;
    case BSON_TYPE_UTF8:
+      BSON_ASSERT (bson_in_range_size_t_unsigned (src->value.v_utf8.len));
+      size_t utf8_len_sz = (size_t) src->value.v_utf8.len;
+      BSON_ASSERT (utf8_len_sz <= SIZE_MAX - 1);
       dst->value.v_utf8.len = src->value.v_utf8.len;
-      dst->value.v_utf8.str = bson_malloc (src->value.v_utf8.len + 1);
+      dst->value.v_utf8.str = bson_malloc (utf8_len_sz + 1);
       memcpy (dst->value.v_utf8.str, src->value.v_utf8.str, dst->value.v_utf8.len);
       dst->value.v_utf8.str[dst->value.v_utf8.len] = '\0';
       break;
@@ -68,28 +72,40 @@ bson_value_copy (const bson_value_t *src, /* IN */
       dst->value.v_regex.options = bson_strdup (src->value.v_regex.options);
       break;
    case BSON_TYPE_DBPOINTER:
+      BSON_ASSERT (bson_in_range_size_t_unsigned (src->value.v_dbpointer.collection_len));
+      size_t dbpointer_len_sz = (size_t) src->value.v_dbpointer.collection_len;
+      BSON_ASSERT (dbpointer_len_sz <= SIZE_MAX - 1);
       dst->value.v_dbpointer.collection_len = src->value.v_dbpointer.collection_len;
-      dst->value.v_dbpointer.collection = bson_malloc (src->value.v_dbpointer.collection_len + 1);
+      dst->value.v_dbpointer.collection = bson_malloc (dbpointer_len_sz + 1);
       memcpy (
          dst->value.v_dbpointer.collection, src->value.v_dbpointer.collection, dst->value.v_dbpointer.collection_len);
       dst->value.v_dbpointer.collection[dst->value.v_dbpointer.collection_len] = '\0';
       bson_oid_copy (&src->value.v_dbpointer.oid, &dst->value.v_dbpointer.oid);
       break;
    case BSON_TYPE_CODE:
+      BSON_ASSERT (bson_in_range_size_t_unsigned (src->value.v_code.code_len));
+      size_t code_len_sz = (size_t) src->value.v_code.code_len;
+      BSON_ASSERT (code_len_sz <= SIZE_MAX - 1);
       dst->value.v_code.code_len = src->value.v_code.code_len;
-      dst->value.v_code.code = bson_malloc (src->value.v_code.code_len + 1);
+      dst->value.v_code.code = bson_malloc (code_len_sz + 1);
       memcpy (dst->value.v_code.code, src->value.v_code.code, dst->value.v_code.code_len);
       dst->value.v_code.code[dst->value.v_code.code_len] = '\0';
       break;
    case BSON_TYPE_SYMBOL:
+      BSON_ASSERT (bson_in_range_size_t_unsigned (src->value.v_symbol.len));
+      size_t symbol_len_sz = (size_t) src->value.v_symbol.len;
+      BSON_ASSERT (symbol_len_sz <= SIZE_MAX - 1);
       dst->value.v_symbol.len = src->value.v_symbol.len;
-      dst->value.v_symbol.symbol = bson_malloc (src->value.v_symbol.len + 1);
+      dst->value.v_symbol.symbol = bson_malloc (symbol_len_sz + 1);
       memcpy (dst->value.v_symbol.symbol, src->value.v_symbol.symbol, dst->value.v_symbol.len);
       dst->value.v_symbol.symbol[dst->value.v_symbol.len] = '\0';
       break;
    case BSON_TYPE_CODEWSCOPE:
+      BSON_ASSERT (bson_in_range_size_t_unsigned (src->value.v_codewscope.code_len));
+      size_t codewscope_len_sz = (size_t) src->value.v_codewscope.code_len;
+      BSON_ASSERT (codewscope_len_sz <= SIZE_MAX - 1);
       dst->value.v_codewscope.code_len = src->value.v_codewscope.code_len;
-      dst->value.v_codewscope.code = bson_malloc (src->value.v_codewscope.code_len + 1);
+      dst->value.v_codewscope.code = bson_malloc (codewscope_len_sz + 1);
       memcpy (dst->value.v_codewscope.code, src->value.v_codewscope.code, dst->value.v_codewscope.code_len);
       dst->value.v_codewscope.code[dst->value.v_codewscope.code_len] = '\0';
       dst->value.v_codewscope.scope_len = src->value.v_codewscope.scope_len;