@@ -129,7 +129,7 @@ static PyObject* _error(char* name) {
129129/* Safely downcast from Py_ssize_t to int, setting an
130130 * exception and returning -1 on error. */
131131static int
132- _downcast_and_check (Py_ssize_t size , unsigned extra ) {
132+ _downcast_and_check (Py_ssize_t size , int extra ) {
133133 if (size > BSON_MAX_SIZE || ((BSON_MAX_SIZE - extra ) < size )) {
134134 PyObject * InvalidStringData = _error ("InvalidStringData" );
135135 if (InvalidStringData ) {
@@ -1382,9 +1382,9 @@ static PyObject* get_value(PyObject* self, const char* buffer, int* position,
13821382 case 3 :
13831383 {
13841384 PyObject * collection ;
1385- unsigned size ;
1385+ int size ;
13861386 memcpy (& size , buffer + * position , 4 );
1387- if (max < size ) {
1387+ if (size < 0 || max < size ) {
13881388 goto invalid ;
13891389 }
13901390 value = elements_to_dict (self , buffer + * position + 4 ,
@@ -1667,7 +1667,7 @@ static PyObject* get_value(PyObject* self, const char* buffer, int* position,
16671667 int flags ;
16681668 size_t flags_length , i ;
16691669 size_t pattern_length = strlen (buffer + * position );
1670- if (max < pattern_length || pattern_length > BSON_MAX_SIZE ) {
1670+ if (pattern_length > BSON_MAX_SIZE || max < ( int ) pattern_length ) {
16711671 goto invalid ;
16721672 }
16731673 pattern = PyUnicode_DecodeUTF8 (buffer + * position , pattern_length , "strict" );
@@ -1679,7 +1679,7 @@ static PyObject* get_value(PyObject* self, const char* buffer, int* position,
16791679 Py_DECREF (pattern );
16801680 goto invalid ;
16811681 }
1682- if (max < pattern_length + flags_length ) {
1682+ if (max < ( int )( pattern_length + flags_length ) ) {
16831683 Py_DECREF (pattern );
16841684 goto invalid ;
16851685 }
@@ -1706,24 +1706,22 @@ static PyObject* get_value(PyObject* self, const char* buffer, int* position,
17061706 }
17071707 case 12 :
17081708 {
1709- size_t collection_length ;
1709+ size_t coll_length ;
17101710 PyObject * collection ;
17111711 PyObject * id ;
17121712
17131713 * position += 4 ;
1714- collection_length = strlen (buffer + * position );
1715- if (max < collection_length || collection_length > BSON_MAX_SIZE ) {
1714+ coll_length = strlen (buffer + * position );
1715+ if (coll_length > BSON_MAX_SIZE || max < ( int ) coll_length + 12 ) {
17161716 goto invalid ;
17171717 }
1718- collection = PyUnicode_DecodeUTF8 (buffer + * position , collection_length , "strict" );
1718+ collection = PyUnicode_DecodeUTF8 (buffer + * position ,
1719+ coll_length , "strict" );
17191720 if (!collection ) {
17201721 return NULL ;
17211722 }
1722- * position += (int )collection_length + 1 ;
1723- if (max < collection_length + 12 ) {
1724- Py_DECREF (collection );
1725- goto invalid ;
1726- }
1723+ * position += (int )coll_length + 1 ;
1724+
17271725 id = PyObject_CallFunction (state -> ObjectId , "s#" , buffer + * position , 12 );
17281726 if (!id ) {
17291727 Py_DECREF (collection );
@@ -1761,7 +1759,7 @@ static PyObject* get_value(PyObject* self, const char* buffer, int* position,
17611759
17621760 * position += 8 ;
17631761 code_length = strlen (buffer + * position );
1764- if (max < 8 + code_length || code_length > BSON_MAX_SIZE ) {
1762+ if (code_length > BSON_MAX_SIZE || max < 8 + ( int ) code_length ) {
17651763 goto invalid ;
17661764 }
17671765 code = PyUnicode_DecodeUTF8 (buffer + * position , code_length , "strict" );
@@ -1877,7 +1875,7 @@ static PyObject* elements_to_dict(PyObject* self, const char* string, int max,
18771875 PyObject * value ;
18781876 int type = (int )string [position ++ ];
18791877 size_t name_length = strlen (string + position );
1880- if (name_length > BSON_MAX_SIZE || position + name_length >= max ) {
1878+ if (name_length > BSON_MAX_SIZE || position + ( int ) name_length >= max ) {
18811879 PyObject * InvalidBSON = _error ("InvalidBSON" );
18821880 if (InvalidBSON ) {
18831881 PyErr_SetNone (InvalidBSON );
@@ -1908,7 +1906,7 @@ static PyObject* elements_to_dict(PyObject* self, const char* string, int max,
19081906}
19091907
19101908static PyObject * _cbson_bson_to_dict (PyObject * self , PyObject * args ) {
1911- unsigned int size ;
1909+ int size ;
19121910 Py_ssize_t total_size ;
19131911 const char * string ;
19141912 PyObject * bson ;
@@ -1955,7 +1953,16 @@ static PyObject* _cbson_bson_to_dict(PyObject* self, PyObject* args) {
19551953 if (!string ) {
19561954 return NULL ;
19571955 }
1956+
19581957 memcpy (& size , string , 4 );
1958+ if (size < 0 ) {
1959+ PyObject * InvalidBSON = _error ("InvalidBSON" );
1960+ if (InvalidBSON ) {
1961+ PyErr_SetString (InvalidBSON , "invalid message size" );
1962+ Py_DECREF (InvalidBSON );
1963+ }
1964+ return NULL ;
1965+ }
19591966
19601967 if (total_size < size ) {
19611968 PyObject * InvalidBSON = _error ("InvalidBSON" );
@@ -1995,7 +2002,7 @@ static PyObject* _cbson_bson_to_dict(PyObject* self, PyObject* args) {
19952002}
19962003
19972004static PyObject * _cbson_decode_all (PyObject * self , PyObject * args ) {
1998- unsigned int size ;
2005+ int size ;
19992006 Py_ssize_t total_size ;
20002007 const char * string ;
20012008 PyObject * bson ;
@@ -2045,6 +2052,15 @@ static PyObject* _cbson_decode_all(PyObject* self, PyObject* args) {
20452052 }
20462053
20472054 memcpy (& size , string , 4 );
2055+ if (size < 0 ) {
2056+ PyObject * InvalidBSON = _error ("InvalidBSON" );
2057+ if (InvalidBSON ) {
2058+ PyErr_SetString (InvalidBSON , "invalid message size" );
2059+ Py_DECREF (InvalidBSON );
2060+ }
2061+ Py_DECREF (result );
2062+ return NULL ;
2063+ }
20482064
20492065 if (total_size < size ) {
20502066 PyObject * InvalidBSON = _error ("InvalidBSON" );
0 commit comments