PYTHON-5756 - Fix BSON Binary type length bug (#2790)

2026-05-07 15:23:00 -04:00 · 2026-05-07 15:23:00 -04:00 · f145c7db94
commit f145c7db94
parent b6bac45c7e
2 changed files with 17 additions and 1 deletions
--- a/bson/_cbsonmodule.c
+++ b/bson/_cbsonmodule.c
@ -2281,7 +2281,7 @@ static PyObject* get_value(PyObject* self, PyObject* name, const char* buffer,
            }
            memcpy(&length, buffer + *position, 4);
            length = BSON_UINT32_FROM_LE(length);
-            if (max < length) {
+            if (max - 5 < length) { // Account for 5-byte header. max >= 5 guaranteed above
                goto invalid;
            }

--- a/test/test_bson.py
+++ b/test/test_bson.py
@ -1269,6 +1269,22 @@ class TestBSON(unittest.TestCase):
            encode(doc)
        self.assertEqual(cm.exception.document, doc)

+    def test_binary_length_accounts_for_header(self):
+        size = 20
+        binary_length = 12  # 5 more than the actual 7 bytes
+
+        payload = b""
+        payload += struct.pack("<i", size)  # document size
+        payload += b"\x05"  # type = Binary
+        payload += b"a\x00"  # key "a"
+        payload += struct.pack("<I", binary_length)  # Binary length (inflated)
+        payload += b"\x00"  # subtype 0
+        payload += b"\x41" * 7  # value
+        payload += b"\x00"  # EOO
+
+        with self.assertRaises(InvalidBSON):
+            decode(payload)
+

 class TestCodecOptions(unittest.TestCase):
    def test_document_class(self):