CDRIVER-2596 buffer underflow in bson_strncpy

ajdavis · ajdavis · commit 8ed31cd4cf63 · 2018-04-13T09:46:17.000-04:00
Calling bson_strncpy with size 0 would write one byte before the start
of the destination string.
diff --git a/src/libbson/src/bson/bson-string.c b/src/libbson/src/bson/bson-string.c
@@ -562,6 +562,10 @@ bson_strncpy (char *dst,       /* IN */
               const char *src, /* IN */
               size_t size)     /* IN */
 {
+   if (size == 0) {
+      return;
+   }
+
 #ifdef _MSC_VER
    strncpy_s (dst, size, src, _TRUNCATE);
 #else
diff --git a/src/libbson/tests/test-string.c b/src/libbson/tests/test-string.c
@@ -279,6 +279,9 @@ test_bson_strncpy (void)
    ASSERT_CMPSTR ("foo", buf);
    bson_strncpy (buf, "foobar", sizeof buf);
    ASSERT_CMPSTR ("foob", buf);
+   /* CDRIVER-2596 make sure strncpy with size 0 doesn't write to buf[-1] */
+   bson_strncpy (buf + 1, "z", 0);
+   ASSERT_CMPSTR ("foob", buf);
 }
 
 

Original file line number	Diff line number	Diff line change
`@@ -279,6 +279,9 @@ test_bson_strncpy (void)`
`279`	`279`	`ASSERT_CMPSTR ("foo", buf);`
`280`	`280`	`bson_strncpy (buf, "foobar", sizeof buf);`
`281`	`281`	`ASSERT_CMPSTR ("foob", buf);`
	`282`	`+ /* CDRIVER-2596 make sure strncpy with size 0 doesn't write to buf[-1] */`
	`283`	`+ bson_strncpy (buf + 1, "z", 0);`
	`284`	`+ ASSERT_CMPSTR ("foob", buf);`
`282`	`285`	`}`
`283`	`286`
`284`	`287`