Fix bsoncore overflow (#223)

tvi · Divjot Arora · commit b4d25d2fb0c3 · 2019-12-02T11:40:03.000-05:00
diff --git a/x/bsonx/bsoncore/bsoncore.go b/x/bsonx/bsoncore/bsoncore.go
@@ -123,6 +123,9 @@ func ReadElement(src []byte) (Element, []byte, bool) {
 	if elemLength > len(src) {
 		return nil, src, false
 	}
+	if elemLength < 0 {
+		return nil, src, false
+	}
 	return src[:elemLength], src[elemLength:], true
 }
 
@@ -723,13 +726,18 @@ func appendi32(dst []byte, i32 int32) []byte {
 // ReadLength reads an int32 length from src and returns the length and the remaining bytes. If
 // there aren't enough bytes to read a valid length, src is returned unomdified and the returned
 // bool will be false.
-func ReadLength(src []byte) (int32, []byte, bool) { return readi32(src) }
+func ReadLength(src []byte) (int32, []byte, bool) {
+	ln, src, ok := readi32(src)
+	if ln < 0 {
+		return ln, src, false
+	}
+	return ln, src, ok
+}
 
 func readi32(src []byte) (int32, []byte, bool) {
 	if len(src) < 4 {
 		return 0, src, false
 	}
-
 	return (int32(src[0]) | int32(src[1])<<8 | int32(src[2])<<16 | int32(src[3])<<24), src[4:], true
 }
 
diff --git a/x/bsonx/document_test.go b/x/bsonx/document_test.go
@@ -65,11 +65,25 @@ func TestDocument(t *testing.T) {
 		t.Parallel()
 		t.Run("UnmarshalingError", func(t *testing.T) {
 			t.Parallel()
-			invalid := []byte{0x01, 0x02}
-			want := bsoncore.NewInsufficientBytesError(nil, nil)
-			_, got := ReadDoc(invalid)
-			if !compareErrors(got, want) {
-				t.Errorf("Expected errors to match. got %v; want %v", got, want)
+			testCases := []struct {
+				name    string
+				invalid []byte
+			}{
+				{"base", []byte{0x01, 0x02}},
+				{"fuzzed1", []byte("0\x990\xc4")}, // fuzzed
+				{"fuzzed2", []byte("\x10\x00\x00\x00\x10\x000000\x0600\x00\x05\x00\xff\xff\xff\u007f")}, // fuzzed
+			}
+
+			for _, tc := range testCases {
+				tc := tc
+				t.Run(tc.name, func(t *testing.T) {
+					t.Parallel()
+					want := bsoncore.NewInsufficientBytesError(nil, nil)
+					_, got := ReadDoc(tc.invalid)
+					if !compareErrors(got, want) {
+						t.Errorf("Expected errors to match. got %v; want %v", got, want)
+					}
+				})
 			}
 		})
 		t.Run("success", func(t *testing.T) {
