Skip to content

RUBY-3869 Validate Binary subtype 0x02 outer/inner length on decode#370

Merged
comandeo-mongo merged 1 commit into
mongodb:masterfrom
comandeo-mongo:RUBY-3869
Jun 10, 2026
Merged

RUBY-3869 Validate Binary subtype 0x02 outer/inner length on decode#370
comandeo-mongo merged 1 commit into
mongodb:masterfrom
comandeo-mongo:RUBY-3869

Conversation

@comandeo-mongo

@comandeo-mongo comandeo-mongo commented May 6, 2026

Copy link
Copy Markdown
Contributor

Description

BSON::Binary.from_bson did not cross-check the outer/inner length fields for subtype 0x02 (:old), and never explicitly rejected negative lengths. Malformed payloads were caught only by incidental effects (the leftover bytes happening to misalign the next-field type byte, or a wrap-around triggering the C get_bytes overrun guard).

This change adds an explicit cross-check (inner_length == outer_length - 4) and an explicit negative-length guard, both raising BSON::Error::BSONDecodeError with a clear message.

What changed

  • lib/bson/binary.rbfrom_bson now raises on length mismatch and negative length instead of relying on incidental rejection.
  • spec/bson/binary_spec.rb — unit specs covering the four error paths (inner too long, inner too short, inner negative, non-old outer negative). The bson-corpus tests assert only that something raises; these tests pin the exact error class and message.

Cross-driver reference

Matches the existing Python driver behavior in bson/__init__.py::_get_binary:

if subtype == 2:
    length2 = _UNPACK_INT_FROM(data, position)[0]
    position += 4
    if length2 != length - 4:
        raise InvalidBSON("invalid binary (st 2) - lengths don't match!")
    length = length2

Test plan

  • bundle exec rspec spec/bson/binary_spec.rb spec/spec_tests/corpus_spec.rb — 2613 examples, 0 failures.
  • bundle exec rubocop lib/bson/binary.rb spec/bson/binary_spec.rb — no offenses.

Jira

https://jira.mongodb.org/browse/RUBY-3869

Cross-check that the inner length equals outer_length - 4, and reject
negative outer/inner lengths up front. Both raise BSON::Error::BSONDecodeError
with explicit messages. Without the check, malformed payloads were caught
only by incidental side effects (next-field-type misalignment or get_bytes
overrun in the C extension).

Matches the behavior already implemented in the Python driver
(bson/__init__.py::_get_binary).
@comandeo-mongo comandeo-mongo marked this pull request as ready for review June 9, 2026 08:21
@comandeo-mongo comandeo-mongo requested a review from a team as a code owner June 9, 2026 08:21
@comandeo-mongo comandeo-mongo requested a review from jamis June 9, 2026 08:21
@comandeo-mongo comandeo-mongo merged commit 1d70a96 into mongodb:master Jun 10, 2026
48 of 51 checks passed
jamis pushed a commit to jamis/bson-ruby that referenced this pull request Jun 26, 2026
jamis added a commit that referenced this pull request Jun 29, 2026
…lready an ObjectId (#374)

* RUBY-3667 BSON::ObjectId(object_id) returns its argument when it is already an ObjectId

* grammar fix

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

* RUBY-3869 Validate Binary subtype 0x02 outer/inner length on decode (#370)

* RUBY-3872 Fix put_double TypeError message regex for Ruby head (#373)

---------

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Dmitry Rybakov <160598371+comandeo-mongo@users.noreply.github.com>
@jamis jamis added the bug Fixes a bug, with no new features or broken compatibility label Jul 1, 2026
@jamis jamis mentioned this pull request Jul 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug Fixes a bug, with no new features or broken compatibility

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants