MB-29527: subdoc: Avoid undefined behaviour in operate_single_doc()

As identified by UBSan, if a sub-document operation results in a zero-length result (which is valid); the current implementation passes a null pointer to memcpy, which is undefined behaviour: [ RUN ] TransportProtocols/XattrTest.SetXattrAndDeleteBasic/Mcbp_XattrYes_JsonYes_SnappyYes runtime error: null pointer passed as argument 2, which is declared to never be null #0 0xd32951 in operate_single_doc kv_engine/daemon/subdocument.cc:776 #1 0xd3522d in do_body_phase kv_engine/daemon/subdocument.cc:1136 #2 0xd3522d in subdoc_operate kv_engine/daemon/subdocument.cc:1183 #3 0xd3522d in subdoc_executor kv_engine/daemon/subdocument.cc:431 Fix by using std::copy instead. Change-Id: Ia5e4d7f76fd57a81c62b930ded7b85dd31a1ae24 Reviewed-on: http://review.couchbase.org/93766 Tested-by: Build Bot <[email protected]> Reviewed-by: Trond Norbye <[email protected]>
couchbase · May 4, 2018 · 42f2369 · 42f2369
1 parent 7343e0d
commit 42f2369
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/daemon/subdocument.cc b/daemon/subdocument.cc
@@ -773,7 +773,7 @@ static bool operate_single_doc(SubdocCmdContext& context,
 
                 size_t offset = 0;
                 for (auto& loc : op->result.newdoc()) {
-                    std::memcpy(temp.get() + offset, loc.at, loc.length);
+                    std::copy(loc.at, loc.at + loc.length, temp.get() + offset);
                     offset += loc.length;
                 }