Skip to content

Fix: prevent signed integer overflow in OP_MSG message sizes #2693

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
HyperPS wants to merge 13 commits into
base: master
Choose a base branch
from
Open

Fix: prevent signed integer overflow in OP_MSG message sizes #2693

Changes from 1 commit
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
2a0304e
Fix: prevent signed integer overflow in OP_MSG message sizes
HyperPS Jan 30, 2026
e5cdb2e
Fix: prevent signed integer overflow in OP_MSG message sizes
HyperPS Feb 1, 2026
acc3f21
Fix signed int32 overflow in message and buffer size calculations
HyperPS Feb 1, 2026
3211211
Apply suggestion from @Jibola
HyperPS Feb 1, 2026
f170513
Update pymongo/_cmessagemodule.c
HyperPS Feb 1, 2026
ef64bbf
Merge branch 'master' into fix/int32-overflow-opmsg
HyperPS Feb 3, 2026
5201951
Revert all bson/buffer.c changes and keep only valid fix in _cmessage…
HyperPS Feb 24, 2026
077648c
Revert all changes except fix: check downsize instead of size in buff…
HyperPS Feb 24, 2026
4d57f95
Fix: restore trailing newline in bson/buffer.c
HyperPS Feb 24, 2026
bba20d2
Revert all cosmetic changes, keep only downsize fix on line 63
HyperPS Feb 24, 2026
e252ccc
Merge branch 'master' into fix/int32-overflow-opmsg
HyperPS Feb 24, 2026
2f301ea
Apply suggestions from code review
Jibola Apr 1, 2026
5c0ee69
Merge branch 'master' into fix/int32-overflow-opmsg
Jibola Apr 3, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
103 changes: 86 additions & 17 deletions pymongo/_cmessagemodule.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,18 @@

#include "_cbsonmodule.h"
#include "buffer.h"
#include <limits.h>

static int
_check_int32_size(size_t size, const char *what) {
if (size > (size_t)INT32_MAX) {
PyErr_Format(PyExc_OverflowError,
"MongoDB %s exceeds maximum int32 size (%d bytes)",
Comment thread
HyperPS marked this conversation as resolved.
Outdated
what, INT32_MAX);
return 0;
}
return 1;
}
Comment thread
HyperPS marked this conversation as resolved.
Outdated

struct module_state {
PyObject* _cbson;
Expand Down Expand Up @@ -80,7 +92,8 @@ static PyObject* _cbson_query_message(PyObject* self, PyObject* args) {
PyObject* options_obj = NULL;
codec_options_t options;
buffer_t buffer = NULL;
int length_location, message_length;
int length_location;
size_t message_length;
PyObject* result = NULL;
struct module_state *state = GETSTATE(self);
if (!state) {
Expand Down Expand Up @@ -136,10 +149,18 @@ static PyObject* _cbson_query_message(PyObject* self, PyObject* args) {
max_size = (cur_size > max_size) ? cur_size : max_size;
}

message_length = pymongo_buffer_get_position(buffer) - length_location;
Comment thread
HyperPS marked this conversation as resolved.
message_length =
(size_t)pymongo_buffer_get_position(buffer) -
(size_t)length_location;
Comment thread
HyperPS marked this conversation as resolved.
Outdated

if (!_check_int32_size(message_length, "message length")) {
goto fail;
}

buffer_write_int32_at_position(
buffer, length_location, (int32_t)message_length);


Comment thread
HyperPS marked this conversation as resolved.
Outdated
/* objectify buffer */
result = Py_BuildValue("iy#i", request_id,
pymongo_buffer_get_buffer(buffer),
Expand All @@ -162,7 +183,8 @@ static PyObject* _cbson_get_more_message(PyObject* self, PyObject* args) {
int num_to_return;
long long cursor_id;
buffer_t buffer = NULL;
int length_location, message_length;
int length_location;
size_t message_length;
PyObject* result = NULL;

if (!PyArg_ParseTuple(args, "et#iL",
Expand Down Expand Up @@ -196,7 +218,14 @@ static PyObject* _cbson_get_more_message(PyObject* self, PyObject* args) {
goto fail;
}

message_length = pymongo_buffer_get_position(buffer) - length_location;
message_length =
(size_t)pymongo_buffer_get_position(buffer) -
(size_t)length_location;
Comment thread
HyperPS marked this conversation as resolved.
Outdated

if (!_check_int32_size(message_length, "getMore message length")) {
goto fail;
}

buffer_write_int32_at_position(
buffer, length_location, (int32_t)message_length);

Expand Down Expand Up @@ -229,7 +258,8 @@ static PyObject* _cbson_op_msg(PyObject* self, PyObject* args) {
PyObject* options_obj = NULL;
codec_options_t options;
buffer_t buffer = NULL;
int length_location, message_length;
int length_location;
size_t message_length;
int total_size = 0;
int max_doc_size = 0;
PyObject* result = NULL;
Expand Down Expand Up @@ -279,7 +309,8 @@ static PyObject* _cbson_op_msg(PyObject* self, PyObject* args) {
}

if (identifier_length) {
int payload_one_length_location, payload_length;
int payload_one_length_location;
size_t payload_length;
/* Payload type 1 */
if (!buffer_write_bytes(buffer, "\x01", 1)) {
goto fail;
Expand Down Expand Up @@ -307,16 +338,32 @@ static PyObject* _cbson_op_msg(PyObject* self, PyObject* args) {
Py_CLEAR(doc);
}

payload_length = pymongo_buffer_get_position(buffer) - payload_one_length_location;
payload_length =
(size_t)pymongo_buffer_get_position(buffer) -
(size_t)payload_one_length_location;
Comment thread
HyperPS marked this conversation as resolved.
Outdated

if (!_check_int32_size(payload_length, "OP_MSG payload length")) {
goto fail;
}

buffer_write_int32_at_position(
buffer, payload_one_length_location, (int32_t)payload_length);
total_size += payload_length;
}

message_length = pymongo_buffer_get_position(buffer) - length_location;

message_length =
(size_t)pymongo_buffer_get_position(buffer) -
(size_t)length_location;
Comment thread
HyperPS marked this conversation as resolved.
Outdated

if (!_check_int32_size(message_length, "OP_MSG message length")) {
goto fail;
}

buffer_write_int32_at_position(
buffer, length_location, (int32_t)message_length);


/* objectify buffer */
result = Py_BuildValue("iy#ii", request_id,
pymongo_buffer_get_buffer(buffer),
Expand Down Expand Up @@ -365,8 +412,8 @@ _batched_op_msg(
long max_message_size;
int idx = 0;
int size_location;
int position;
int length;
size_t position;
size_t length;
PyObject* max_bson_size_obj = NULL;
PyObject* max_write_batch_size_obj = NULL;
PyObject* max_message_size_obj = NULL;
Expand Down Expand Up @@ -520,8 +567,13 @@ _batched_op_msg(
goto fail;
}

position = pymongo_buffer_get_position(buffer);
length = position - size_location;
position = (size_t)pymongo_buffer_get_position(buffer);
length = position - (size_t)size_location;

if (!_check_int32_size(length, "batched OP_MSG section length")) {
goto fail;
}

buffer_write_int32_at_position(buffer, size_location, (int32_t)length);
return 1;

Expand Down Expand Up @@ -591,7 +643,7 @@ _cbson_batched_op_msg(PyObject* self, PyObject* args) {
unsigned char op;
unsigned char ack;
int request_id;
int position;
size_t position;
PyObject* command = NULL;
PyObject* docs = NULL;
PyObject* ctx = NULL;
Expand Down Expand Up @@ -643,7 +695,12 @@ _cbson_batched_op_msg(PyObject* self, PyObject* args) {
}

request_id = rand();
position = pymongo_buffer_get_position(buffer);
position = (size_t)pymongo_buffer_get_position(buffer);

if (!_check_int32_size(position, "batched OP_MSG message length")) {
goto fail;
}

buffer_write_int32_at_position(buffer, 0, (int32_t)position);
buffer_write_int32_at_position(buffer, 4, (int32_t)request_id);
result = Py_BuildValue("iy#O", request_id,
Expand All @@ -657,6 +714,7 @@ _cbson_batched_op_msg(PyObject* self, PyObject* args) {
return result;
}


Comment thread
HyperPS marked this conversation as resolved.
/* End OP_MSG -------------------------------------------- */
Comment thread
Jibola marked this conversation as resolved.

static int
Expand Down Expand Up @@ -850,10 +908,21 @@ _batched_write_command(
goto fail;
}

position = pymongo_buffer_get_position(buffer);
length = position - lst_len_loc - 1;
position = (size_t)pymongo_buffer_get_position(buffer);
length = position - (size_t)lst_len_loc - 1;

if (!_check_int32_size(length, "batched write list length")) {
goto fail;
}

buffer_write_int32_at_position(buffer, lst_len_loc, (int32_t)length);
length = position - cmd_len_loc;

length = position - (size_t)cmd_len_loc;

if (!_check_int32_size(length, "batched write command length")) {
goto fail;
}

buffer_write_int32_at_position(buffer, cmd_len_loc, (int32_t)length);
return 1;

Expand Down
Loading