PYTHON-5756 - Fix BSON Binary type length bug (#2790)

NoahStapp · web-flow · commit f145c7db940f · 2026-05-07T15:23:00.000-04:00
diff --git a/bson/_cbsonmodule.c b/bson/_cbsonmodule.c
@@ -2281,7 +2281,7 @@ static PyObject* get_value(PyObject* self, PyObject* name, const char* buffer,
             }
             memcpy(&length, buffer + *position, 4);
             length = BSON_UINT32_FROM_LE(length);
-            if (max < length) {
+            if (max - 5 < length) { // Account for 5-byte header. max >= 5 guaranteed above
                 goto invalid;
             }
 
diff --git a/test/test_bson.py b/test/test_bson.py
@@ -1269,6 +1269,22 @@ def __repr__(self):
             encode(doc)
         self.assertEqual(cm.exception.document, doc)
 
+    def test_binary_length_accounts_for_header(self):
+        size = 20
+        binary_length = 12  # 5 more than the actual 7 bytes
+
+        payload = b""
+        payload += struct.pack("<i", size)  # document size
+        payload += b"\x05"  # type = Binary
+        payload += b"a\x00"  # key "a"
+        payload += struct.pack("<I", binary_length)  # Binary length (inflated)
+        payload += b"\x00"  # subtype 0
+        payload += b"\x41" * 7  # value
+        payload += b"\x00"  # EOO
+
+        with self.assertRaises(InvalidBSON):
+            decode(payload)
+
 
 class TestCodecOptions(unittest.TestCase):
     def test_document_class(self):

Original file line number	Diff line number	Diff line change
`@@ -2281,7 +2281,7 @@ static PyObject* get_value(PyObject* self, PyObject* name, const char* buffer,`
`2281`	`2281`	`}`
`2282`	`2282`	`memcpy(&length, buffer + *position, 4);`
`2283`	`2283`	`length = BSON_UINT32_FROM_LE(length);`
`2284`		`- if (max < length) {`
	`2284`	`+ if (max - 5 < length) { // Account for 5-byte header. max >= 5 guaranteed above`
`2285`	`2285`	`goto invalid;`
`2286`	`2286`	`}`
`2287`	`2287`