From d2efc53b925673dad9f85baedb596be04ab3881c Mon Sep 17 00:00:00 2001
From: Jared Wong <jaredlwong@gmail.com>
Date: Sat, 7 Dec 2013 11:11:10 -0800
Subject: [PATCH] SERVER-12006 - Fixed potential pointer overflow leading to an
 infinite loop in db/storage/record.cpp

In order to iterate over the data in the record there was a previous loop that
compared pointers. This will not work as expected because the addr pointer may
overflow.

In C, it is undefined behavior to increment a pointer (in this case addr) more
than 1 past the end of the array (in this case _data) to which it points.

If the compiler so chooses, it may wrap around the pointer if it increases past
_data + SliceSize + 1. This would cause this loop to never exit because addr
would always be less than end.
---
 src/mongo/db/storage/record.cpp | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/mongo/db/storage/record.cpp b/src/mongo/db/storage/record.cpp
index 46e39884b44ca..e729301265c41 100644
--- a/src/mongo/db/storage/record.cpp
+++ b/src/mongo/db/storage/record.cpp
@@ -418,9 +418,9 @@ namespace mongo {
     void Record::touch( bool entireRecrd ) const {
         if ( _lengthWithHeaders > HeaderSize ) { // this also makes sure lengthWithHeaders is in memory
             const char * addr = _data;
-            const char * end = _data + _netLength();
-            for ( ; addr <= end ; addr += 2048 ) {
-                __record_touch_dummy += addr[0];
+            const int length = _netLength();
+            for ( int i = 0 ; i <= length ; i += 2048 ) {
+                __record_touch_dummy += addr[i];
 
                 break; // TODO: remove this, pending SERVER-3711