SERVER-10159 Fix invalid dereference of end iterator while parsing invalid field names

author: Andrew Morrow <acm@10gen.com> 2013-09-13 10:57:37 -0400
committer: Andrew Morrow <acm@10gen.com> 2013-09-13 11:17:22 -0400
commit: 2110a136ef89f761928014364acef203d1feca4e (patch)
tree: d92f9d3173f48e8c8eb1e7a1e1f4150fa8da5206 /src/mongo
parent: eb22c8e590a60dde9adde997f34cddcea9d166f8 (diff)
download: mongo-2110a136ef89f761928014364acef203d1feca4e.tar.gz
2 files changed, 24 insertions, 1 deletions
diff --git a/src/mongo/db/field_ref.cpp b/src/mongo/db/field_ref.cpp
index 2b09e2ee011..85d0c123fd9 100644
--- a/src/mongo/db/field_ref.cpp
+++ b/src/mongo/db/field_ref.cpp
@@ -59,7 +59,19 @@ namespace mongo {
                 continue;
             }
 
-            appendPart(StringData(&*beg, cur - beg));
+            // If cur != beg then we advanced cur in the loop above, so we have a real sequence
+            // of characters to add as a new part. Otherwise, we may be parsing something odd,
+            // like "..", and we need to add an empty StringData piece to represent the "part"
+            // in-between the dots. This also handles the case where 'beg' and 'cur' are both
+            // at 'end', which can happen if we are parsing anything with a terminal "."
+            // character. In that case, we still need to add an empty part, but we will break
+            // out of the loop below since we will not execute the guarded 'continue' and will
+            // instead reach the break statement.
+
+            if (cur != beg)
+                appendPart(StringData(&*beg, cur - beg));
+            else
+                appendPart(StringData());
 
             if (cur != end) {
                 beg = ++cur;
diff --git a/src/mongo/db/field_ref_test.cpp b/src/mongo/db/field_ref_test.cpp
index b33cf44fbb4..1d98c76b2e3 100644
--- a/src/mongo/db/field_ref_test.cpp
+++ b/src/mongo/db/field_ref_test.cpp
@@ -46,6 +46,17 @@ namespace {
         ASSERT_EQUALS(fieldRef.dottedField(), field);
     }
 
+    TEST(Empty, NoFieldNames2) {
+        string field = "..";
+        FieldRef fieldRef;
+        fieldRef.parse(field);
+        ASSERT_EQUALS(fieldRef.numParts(), 3U);
+        ASSERT_EQUALS(fieldRef.getPart(0), "");
+        ASSERT_EQUALS(fieldRef.getPart(1), "");
+        ASSERT_EQUALS(fieldRef.getPart(2), "");
+        ASSERT_EQUALS(fieldRef.dottedField(), field);
+    }
+
     TEST(Empty, EmptyFieldName) {
         string field = ".b.";
         FieldRef fieldRef;
author	Andrew Morrow <acm@10gen.com>	2013-09-13 10:57:37 -0400
committer	Andrew Morrow <acm@10gen.com>	2013-09-13 11:17:22 -0400
commit	2110a136ef89f761928014364acef203d1feca4e (patch)
tree	d92f9d3173f48e8c8eb1e7a1e1f4150fa8da5206 /src/mongo
parent	eb22c8e590a60dde9adde997f34cddcea9d166f8 (diff)
download	mongo-2110a136ef89f761928014364acef203d1feca4e.tar.gz