CDRIVER-5756 Coverity fixes (#1867)

* check return value of bson_init_static

CID: 100057

* check return value of malloc

CID: 100087

* add bounds check to ensure int32_t fits in size_t

CID: 112395

* check return value of bson_iter_init

CID: 115840, 115848, 115851, 115853

* check bounds on return value from sysconf

CID: 134019

* check return when calling pthread_once/InitOnceExecuteOnce

CID: 138314

* explicit cast to int64_t

CID: 138986

* bounds check when summing return from send()

CID: 138989

* acquire mutex before modifying topology

CID: 156373

* ensure a NULL pointer is not dereferenced

CID: 157950

* static cast to ensure proper comparison

Co-authored-by: vector-of-bool <[email protected]>

* remove wrapping macros

* use BSON_ASSERT instead of Boolean check for opt

* also check return value of calloc

* use bson_malloc rather than plain malloc

Co-authored-by: Kevin Albertson <[email protected]>

* drop redundant mongo_common_once defitions, use bson_once instead

* rather than assert, test against INT_MAX and provide a suitable error message

* tighter asserts

Co-authored-by: Kevin Albertson <[email protected]>

* tighter asserts

Co-authored-by: Kevin Albertson <[email protected]>

* use bson_free instead of free

* tighter asserts

* revert inadequate concurrency fix

---------

Co-authored-by: vector-of-bool <[email protected]>
Co-authored-by: Kevin Albertson <[email protected]>

Author: 3 people

src/common/src/common-b64.c

@@ -41,6 +41,7 @@
  */
 
 #include <common-b64-private.h>
+#include <common-thread-private.h>
 
 #include <bson/bson.h>
 
@@ -262,24 +263,7 @@ static const uint8_t mongoc_b64rmap_space = 0xfe;
 static const uint8_t mongoc_b64rmap_invalid = 0xff;
 
 /* initializing the reverse map isn't thread safe, do it in pthread_once */
-#if defined(BSON_OS_UNIX)
-#include <pthread.h>
-#define mongoc_common_once_t pthread_once_t
-#define mongoc_common_once pthread_once
-#define MONGOC_COMMON_ONCE_FUN(n) void n (void)
-#define MONGOC_COMMON_ONCE_RETURN return
-#define MONGOC_COMMON_ONCE_INIT PTHREAD_ONCE_INIT
-#else
-#define mongoc_common_once_t INIT_ONCE
-#define MONGOC_COMMON_ONCE_INIT INIT_ONCE_STATIC_INIT
-#define mongoc_common_once(o, c) InitOnceExecuteOnce (o, c, NULL, NULL)
-#define MONGOC_COMMON_ONCE_FUN(n)                                                                    \
-   BOOL CALLBACK MLIB_PRAGMA_IF_MSVC (warning (push)) MLIB_PRAGMA_IF_MSVC (warning (disable : 4100)) \
-      n (PINIT_ONCE _ignored_a, PVOID _ignored_b, PVOID *_ignored_c) MLIB_PRAGMA_IF_MSVC (warning (pop))
-#define MONGOC_COMMON_ONCE_RETURN return true
-#endif
-
-static MONGOC_COMMON_ONCE_FUN (bson_b64_initialize_rmap)
+static BSON_ONCE_FUN (bson_b64_initialize_rmap)
 {
    /* Null: end of string, stop parsing */
    mongoc_b64rmap[0] = mongoc_b64rmap_end;
@@ -301,7 +285,7 @@ static MONGOC_COMMON_ONCE_FUN (bson_b64_initialize_rmap)
    for (uint8_t i = 0; Base64[i] != '\0'; ++i)
       mongoc_b64rmap[(uint8_t) Base64[i]] = i;
 
-   MONGOC_COMMON_ONCE_RETURN;
+   BSON_ONCE_RETURN;
 }
 
 static int
@@ -516,9 +500,9 @@ mongoc_b64_pton_len (char const *src)
 int
 mcommon_b64_pton (char const *src, uint8_t *target, size_t targsize)
 {
-   static mongoc_common_once_t once = MONGOC_COMMON_ONCE_INIT;
+   static bson_once_t once = BSON_ONCE_INIT;
 
-   mongoc_common_once (&once, bson_b64_initialize_rmap);
+   bson_once (&once, bson_b64_initialize_rmap);
 
    if (!src) {
       return -1;

src/libbson/src/bson/bson-json.c

@@ -351,13 +351,17 @@ _noop (void)
       bson->code_data.in_scope = false; \
    } while (0)
 #define STACK_POP_DBPOINTER STACK_POP_DOC (_noop ())
-#define BASIC_CB_PREAMBLE                         \
-   const char *key;                               \
-   size_t len;                                    \
-   bson_json_reader_bson_t *bson = &reader->bson; \
-   _bson_json_read_fixup_key (bson);              \
-   key = bson->key;                               \
-   len = bson->key_buf.len;                       \
+#define BASIC_CB_PREAMBLE                                                                                            \
+   const char *key;                                                                                                  \
+   size_t len;                                                                                                       \
+   bson_json_reader_bson_t *bson = &reader->bson;                                                                    \
+   _bson_json_read_fixup_key (bson);                                                                                 \
+   key = bson->key;                                                                                                  \
+   len = bson->key_buf.len;                                                                                          \
+   if (len > INT_MAX) {                                                                                              \
+      _bson_json_read_set_error (reader, "Failed to read JSON. key size %zu is too large. Max is %d", len, INT_MAX); \
+      return;                                                                                                        \
+   }                                                                                                                 \
    (void) 0
 #define BASIC_CB_BAIL_IF_NOT_NORMAL(_type)                                                                   \
    if (bson->read_state != BSON_JSON_REGULAR) {                                                              \
@@ -628,7 +632,7 @@ _bson_json_read_integer (bson_json_reader_t *reader, uint64_t val, int64_t sign)
       BASIC_CB_BAIL_IF_NOT_NORMAL ("integer");
 
       if (val <= INT32_MAX || (sign == -1 && val <= (uint64_t) INT32_MAX + 1)) {
-         bson_append_int32 (STACK_BSON_CHILD, key, (int) len, (int) (val * sign));
+         bson_append_int32 (STACK_BSON_CHILD, key, (int) len, (int32_t) ((int64_t) val * sign));
       } else if (sign == -1) {
 #if defined(_WIN32) && !defined(__MINGW32__)
          // Unary negation of unsigned integer is deliberate.

src/libbson/src/jsonsl/jsonsl.c

@@ -1052,9 +1052,9 @@ void jsonsl_jpr_match_state_init(jsonsl_t jsn,
     if (njprs == 0) {
         return;
     }
-    jsn->jprs = (jsonsl_jpr_t *)malloc(sizeof(jsonsl_jpr_t) * njprs);
+    jsn->jprs = (jsonsl_jpr_t *) bson_malloc (sizeof (jsonsl_jpr_t) * njprs);
     jsn->jpr_count = njprs;
-    jsn->jpr_root = (size_t*)calloc(1, sizeof(size_t) * njprs * jsn->levels_max);
+    jsn->jpr_root = (size_t *) bson_malloc0 (sizeof (size_t) * njprs * jsn->levels_max);
     memcpy(jsn->jprs, jprs, sizeof(jsonsl_jpr_t) * njprs);
     /* Set the initial jump table values */
 
@@ -1070,8 +1070,8 @@ void jsonsl_jpr_match_state_cleanup(jsonsl_t jsn)
         return;
     }
 
-    free(jsn->jpr_root);
-    free(jsn->jprs);
+    bson_free(jsn->jpr_root);
+    bson_free(jsn->jprs);
     jsn->jprs = NULL;
     jsn->jpr_root = NULL;
     jsn->jpr_count = 0;

src/libmongoc/src/mongoc/mongoc-client-session.c

@@ -885,7 +885,9 @@ _max_time_ms_failure (bson_t *reply)
       return true;
    }
 
-   bson_iter_init (&iter, reply);
+   if (!bson_iter_init (&iter, reply)) {
+      return false;
+   }
    if (bson_iter_find_descendant (&iter, "writeConcernError.codeName", &descendant) &&
        BSON_ITER_HOLDS_UTF8 (&descendant) && 0 == strcmp (bson_iter_utf8 (&descendant, NULL), MAX_TIME_MS_EXPIRED)) {
       return true;

src/libmongoc/src/mongoc/mongoc-collection.c

@@ -937,8 +937,12 @@ _mongoc_collection_index_keys_equal (const bson_t *expected, const bson_t *actua
    bson_iter_t iter_expected;
    bson_iter_t iter_actual;
 
-   bson_iter_init (&iter_expected, expected);
-   bson_iter_init (&iter_actual, actual);
+   if (!bson_iter_init (&iter_expected, expected)) {
+      return false;
+   }
+   if (!bson_iter_init (&iter_actual, actual)) {
+      return false;
+   }
 
    while (bson_iter_next (&iter_expected)) {
       /* If the key document has fewer items than expected, indexes are unequal

src/libmongoc/src/mongoc/mongoc-counters.c

@@ -119,6 +119,7 @@ mongoc_counters_calc_size (void)
    if (mlib_cmp (size, >, pg_sz)) {
       return size;
    } else {
+      BSON_ASSERT (pg_sz > 0);
       return (size_t) pg_sz;
    }
 #else

src/libmongoc/src/mongoc/mongoc-server-description.c

@@ -794,7 +794,7 @@ mongoc_server_description_new_copy (const mongoc_server_description_t *descripti
          const uint8_t *data = bson_get_data (&copy->last_hello_response) + offset;                                  \
          uint32_t len = description->FIELD.len;                                                                      \
          MONGOC_DEBUG_ASSERT (offset + len <= copy->last_hello_response.len);                                        \
-         bson_init_static (&copy->FIELD, data, len);                                                                 \
+         BSON_ASSERT (bson_init_static (&copy->FIELD, data, len));                                                   \
       } else {                                                                                                       \
          bson_init (&copy->FIELD);                                                                                   \
       }                                                                                                              \

src/libmongoc/src/mongoc/mongoc-socket.c

@@ -1207,6 +1207,7 @@ _mongoc_socket_try_sendv_slow (mongoc_socket_t *sock, /* IN */
          RETURN (ret ? ret : -1);
       }
 
+      BSON_ASSERT (mlib_cmp (wrote, <=, SSIZE_MAX - ret));
       ret += wrote;
 
       if (mlib_cmp (wrote, !=, iov[i].iov_len)) {

src/libmongoc/src/mongoc/mongoc-stream-tls-openssl.c

@@ -829,6 +829,9 @@ create_stream_with_ctx (
 mongoc_stream_t *
 mongoc_stream_tls_openssl_new (mongoc_stream_t *base_stream, const char *host, mongoc_ssl_opt_t *opt, int client)
 {
+   BSON_ASSERT_PARAM (base_stream);
+   BSON_ASSERT_PARAM (opt);
+
    SSL_CTX *ssl_ctx = _mongoc_openssl_ctx_new (opt);
 
    if (!ssl_ctx) {

src/libmongoc/src/mongoc/mongoc-uri.c

@@ -904,7 +904,10 @@ mongoc_uri_options_validate_names (const bson_t *a, const bson_t *b, bson_error_
    /* Scan `a` looking for deprecated names
     * where the canonical name was also used in `a`,
     * or was used in `b`. */
-   bson_iter_init (&key_iter, a);
+   if (!bson_iter_init (&key_iter, a)) {
+      return false;
+   }
+
    while (bson_iter_next (&key_iter)) {
       key = bson_iter_key (&key_iter);
       value = bson_iter_utf8_unsafe (&key_iter, &value_len);
@@ -966,7 +969,10 @@ mongoc_uri_apply_options (mongoc_uri_t *uri, const bson_t *options, bool from_dn
    size_t value_len;
    bool bval;
 
-   bson_iter_init (&iter, options);
+   if (!bson_iter_init (&iter, options)) {
+      return false;
+   }
+
    while (bson_iter_next (&iter)) {
       key = bson_iter_key (&iter);
       canon = mongoc_uri_canonicalize_option (key);