Skip to content

Fix: prevent signed integer overflow in OP_MSG message sizes #2693

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
HyperPS wants to merge 12 commits into
base: master
Choose a base branch
from
+1 −1
Open

Fix: prevent signed integer overflow in OP_MSG message sizes #2693

Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
2a0304e
Fix: prevent signed integer overflow in OP_MSG message sizes
HyperPS Jan 30, 2026
e5cdb2e
Fix: prevent signed integer overflow in OP_MSG message sizes
HyperPS Feb 1, 2026
acc3f21
Fix signed int32 overflow in message and buffer size calculations
HyperPS Feb 1, 2026
3211211
Apply suggestion from @Jibola
HyperPS Feb 1, 2026
f170513
Update pymongo/_cmessagemodule.c
HyperPS Feb 1, 2026
ef64bbf
Merge branch 'master' into fix/int32-overflow-opmsg
HyperPS Feb 3, 2026
5201951
Revert all bson/buffer.c changes and keep only valid fix in _cmessage…
HyperPS Feb 24, 2026
077648c
Revert all changes except fix: check downsize instead of size in buff…
HyperPS Feb 24, 2026
4d57f95
Fix: restore trailing newline in bson/buffer.c
HyperPS Feb 24, 2026
bba20d2
Revert all cosmetic changes, keep only downsize fix on line 63
HyperPS Feb 24, 2026
e252ccc
Merge branch 'master' into fix/int32-overflow-opmsg
HyperPS Feb 24, 2026
2f301ea
Apply suggestions from code review
Jibola Apr 1, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion pymongo/_cmessagemodule.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,7 @@ static PyObject* _error(char* name) {
* Returns 0 on failure */
static int buffer_write_bytes_ssize_t(buffer_t buffer, const char* data, Py_ssize_t size) {
int downsize = _downcast_and_check(size, 0);
if (size == -1) {
if (downsize == -1) {
return 0;
}
return buffer_write_bytes(buffer, data, downsize);
Comment on lines 61 to 66
Copy link

Copilot AI Feb 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR title/description indicate broader signed integer overflow hardening (e.g., introducing a shared _check_int32_size() helper and converting OP_MSG/OP_QUERY/etc size computations to size_t with int32 bounds checks). In this diff/repo state, those changes are not present (no _check_int32_size symbol, and message length/payload length calculations still downcast directly to int32_t without centralized bounds validation). Please either include the missing overflow-checking changes or update the PR title/description to match the actual scope.

Copilot uses AI. Check for mistakes.
Expand Down