Fix: prevent signed integer overflow in OP_MSG message sizes

[HyperPS]

Changes in this PR

This change fixes multiple signed integer overflow risks when computing MongoDB wire protocol message lengths in the C extension (pymongo/_cmessagemodule.c).

Previously, several message size calculations were performed using int and written directly into int32 fields without validating bounds. In edge cases involving large buffers or payloads, this could lead to signed integer truncation, incorrect message lengths, and potential memory corruption.

This patch:

• Introduces a shared _check_int32_size() helper to validate all computed
  message and section sizes before downcasting to int32_t
• Converts intermediate size calculations to size_t
• Applies consistent bounds checks across:
  • OP_QUERY
  • OP_GET_MORE
  • OP_MSG (including type 1 payloads)
  • Batched OP_MSG writes
  • Batched legacy write commands

Security Impact

This issue was reported via Huntr as a potential integer overflow leading to malformed MongoDB wire protocol messages. While exploitation requires crafted inputs, validating message sizes defensively prevents undefined behavior and improves robustness of the PyMongo C extension.

Huntr report:

• https://huntr.com/bounties/b22f04e9-6928-4efd-b65e-2e725e688c30

[Jibola]

Thank you for identifying this code improvement.

Overall, Logic looks good, but please fix formatting to match _cmessagemodule.c and confirm all length writes now use _check_int32_size.

[HyperPS]

This fixes signed int32 overflow issues in OP_MSG and buffer size calculations by validating message and section lengths before casting to int32, preventing integer truncation and potential memory corruption.
Please let me know if you’d like any adjustments.