SERVER-16221 SERVER-23709 Fix out of bounds array access in ValueStorage dassert

author: Andrew Morrow <acm@mongodb.com> 2016-04-10 10:49:53 -0400
committer: Andrew Morrow <acm@mongodb.com> 2016-04-15 10:08:39 -0400
commit: 1261405f121b0d3dfe28e2ee04e425de0c118cea (patch)
tree: 74c584587a5e60c70de22d08461329d676ce1bf5 /src/mongo/db/pipeline/value.cpp
parent: 54cf694d82050cc695f826fdc6d0b063a157682c (diff)
download: mongo-1261405f121b0d3dfe28e2ee04e425de0c118cea.tar.gz
1 files changed, 4 insertions, 3 deletions
diff --git a/src/mongo/db/pipeline/value.cpp b/src/mongo/db/pipeline/value.cpp
index cc35067b9da..be0d90af829 100644
--- a/src/mongo/db/pipeline/value.cpp
+++ b/src/mongo/db/pipeline/value.cpp
@@ -103,9 +103,10 @@ void ValueStorage::putString(StringData s) {
         shortStrSize = s.size();
         s.copyTo(shortStrStorage, false);  // no NUL
 
-        // All memory is zeroed before this is called.
-        // Note this may be past end of shortStrStorage and into nulTerminator
-        dassert(shortStrStorage[sizeNoNUL] == '\0');
+        // All memory is zeroed before this is called, so we know that
+        // the nulTerminator field will definitely contain a NUL byte.
+        dassert(((sizeNoNUL < sizeof(shortStrStorage)) && (shortStrStorage[sizeNoNUL] == '\0')) ||
+                (((shortStrStorage + sizeNoNUL) == &nulTerminator) && (nulTerminator == '\0')));
     } else {
         putRefCountable(RCString::create(s));
     }
author	Andrew Morrow <acm@mongodb.com>	2016-04-10 10:49:53 -0400
committer	Andrew Morrow <acm@mongodb.com>	2016-04-15 10:08:39 -0400
commit	1261405f121b0d3dfe28e2ee04e425de0c118cea (patch)
tree	74c584587a5e60c70de22d08461329d676ce1bf5 /src/mongo/db/pipeline/value.cpp
parent	54cf694d82050cc695f826fdc6d0b063a157682c (diff)
download	mongo-1261405f121b0d3dfe28e2ee04e425de0c118cea.tar.gz