PYTHON-4305 Fix bson size check (#1564)

ShaneHarvey · blink1073 · commit 56b6b6dbc267 · 2024-03-27T18:52:36.000-05:00
(cherry picked from commit 372b5d6)
diff --git a/bson/_cbsonmodule.c b/bson/_cbsonmodule.c
@@ -2405,6 +2405,7 @@ static PyObject* get_value(PyObject* self, PyObject* name, const char* buffer,
             uint32_t c_w_s_size;
             uint32_t code_size;
             uint32_t scope_size;
+            uint32_t len;
             PyObject* code;
             PyObject* scope;
             PyObject* code_type;
@@ -2424,7 +2425,8 @@ static PyObject* get_value(PyObject* self, PyObject* name, const char* buffer,
             memcpy(&code_size, buffer + *position, 4);
             code_size = BSON_UINT32_FROM_LE(code_size);
             /* code_w_scope length + code length + code + scope length */
-            if (!code_size || max < code_size || max < 4 + 4 + code_size + 4) {
+            len = 4 + 4 + code_size + 4;
+            if (!code_size || max < code_size || max < len || len < code_size) {
                 goto invalid;
             }
             *position += 4;
@@ -2442,12 +2444,9 @@ static PyObject* get_value(PyObject* self, PyObject* name, const char* buffer,
 
             memcpy(&scope_size, buffer + *position, 4);
             scope_size = BSON_UINT32_FROM_LE(scope_size);
-            if (scope_size < BSON_MIN_SIZE) {
-                Py_DECREF(code);
-                goto invalid;
-            }
             /* code length + code + scope length + scope */
-            if ((4 + code_size + 4 + scope_size) != c_w_s_size) {
+            len = 4 + 4 + code_size + scope_size;
+            if (scope_size < BSON_MIN_SIZE || len != c_w_s_size || len < scope_size) {
                 Py_DECREF(code);
                 goto invalid;
             }
