Add regression test for _array_of_documents_to_buffer bound check

AgentGymLeader · AgentGymLeader · commit ea148974e669 · 2026-06-14T16:21:22.000+09:00
Asserts an embedded-document length larger than the remaining array bytes raises InvalidBSON, and that a valid buffer still decodes.
diff --git a/test/test_bson.py b/test/test_bson.py
@@ -1756,6 +1756,28 @@ def test_array_of_documents_to_buffer(self):
         with self.assertRaises(InvalidBSON):
             _array_of_documents_to_buffer(buf)
 
+    def test_array_of_documents_to_buffer_rejects_oversized_element(self):
+        # Regression test for the bound check in
+        # _cbson_array_of_documents_to_buffer: an embedded document whose
+        # declared length exceeds the bytes remaining in the array document
+        # must raise InvalidBSON before any copy, rather than reading out of
+        # bounds (CWE-125).
+        doc = dict(a=1)
+        valid = encode({"0": doc})
+        # A well-formed buffer is unaffected by the guard.
+        self.assertEqual(_array_of_documents_to_buffer(valid), encode(doc))
+        # The first embedded document starts after the array header:
+        # 4-byte array length + 1-byte element type (0x03) + "0\x00" key = 7.
+        # Its leading 4 bytes are the embedded document's declared length.
+        offset = 4 + 1 + 2
+        malformed = bytearray(valid)
+        # Claim a length far larger than what remains (but >= BSON_MIN_SIZE so
+        # the existing lower-bound check still passes), forcing the new
+        # upper-bound guard to reject it.
+        malformed[offset:offset + 4] = struct.pack("<i", 0x7FFF)
+        with self.assertRaises(InvalidBSON):
+            _array_of_documents_to_buffer(bytes(malformed))
+
 
 class TestLongLongToString(unittest.TestCase):
     def test_long_long_to_string(self):
