diff options
author | Andrew Morrow <acm@10gen.com> | 2013-09-13 10:57:37 -0400 |
---|---|---|
committer | Andrew Morrow <acm@10gen.com> | 2013-09-13 11:17:22 -0400 |
commit | 2110a136ef89f761928014364acef203d1feca4e (patch) | |
tree | d92f9d3173f48e8c8eb1e7a1e1f4150fa8da5206 /src/mongo/db/field_ref.cpp | |
parent | eb22c8e590a60dde9adde997f34cddcea9d166f8 (diff) | |
download | mongo-2110a136ef89f761928014364acef203d1feca4e.tar.gz |
SERVER-10159 Fix invalid dereference of end iterator while parsing invalid field names
Diffstat (limited to 'src/mongo/db/field_ref.cpp')
-rw-r--r-- | src/mongo/db/field_ref.cpp | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/src/mongo/db/field_ref.cpp b/src/mongo/db/field_ref.cpp index 2b09e2ee011..85d0c123fd9 100644 --- a/src/mongo/db/field_ref.cpp +++ b/src/mongo/db/field_ref.cpp @@ -59,7 +59,19 @@ namespace mongo { continue; } - appendPart(StringData(&*beg, cur - beg)); + // If cur != beg then we advanced cur in the loop above, so we have a real sequence + // of characters to add as a new part. Otherwise, we may be parsing something odd, + // like "..", and we need to add an empty StringData piece to represent the "part" + // in-between the dots. This also handles the case where 'beg' and 'cur' are both + // at 'end', which can happen if we are parsing anything with a terminal "." + // character. In that case, we still need to add an empty part, but we will break + // out of the loop below since we will not execute the guarded 'continue' and will + // instead reach the break statement. + + if (cur != beg) + appendPart(StringData(&*beg, cur - beg)); + else + appendPart(StringData()); if (cur != end) { beg = ++cur; |