MB-29527: subdoc: Avoid undefined behaviour in operate_single_doc()

daverigby · trondn · commit 42f236973229 · 2018-05-04T19:39:43.000Z
As identified by UBSan, if a sub-document operation results in a zero-length result (which is valid); the current implementation passes a null pointer to memcpy, which is undefined behaviour: [ RUN ] TransportProtocols/XattrTest.SetXattrAndDeleteBasic/Mcbp_XattrYes_JsonYes_SnappyYes runtime error: null pointer passed as argument 2, which is declared to never be null #0 0xd32951 in operate_single_doc kv_engine/daemon/subdocument.cc:776 couchbase#1 0xd3522d in do_body_phase kv_engine/daemon/subdocument.cc:1136 couchbase#2 0xd3522d in subdoc_operate kv_engine/daemon/subdocument.cc:1183 couchbase#3 0xd3522d in subdoc_executor kv_engine/daemon/subdocument.cc:431 Fix by using std::copy instead. Change-Id: Ia5e4d7f76fd57a81c62b930ded7b85dd31a1ae24 Reviewed-on: http://review.couchbase.org/93766 Tested-by: Build Bot <build@couchbase.com> Reviewed-by: Trond Norbye <trond.norbye@gmail.com>
diff --git a/daemon/subdocument.cc b/daemon/subdocument.cc
@@ -773,7 +773,7 @@ static bool operate_single_doc(SubdocCmdContext& context,
 
                 size_t offset = 0;
                 for (auto& loc : op->result.newdoc()) {
-                    std::memcpy(temp.get() + offset, loc.at, loc.length);
+                    std::copy(loc.at, loc.at + loc.length, temp.get() + offset);
                     offset += loc.length;
                 }
 

Original file line number	Diff line number	Diff line change
`@@ -773,7 +773,7 @@ static bool operate_single_doc(SubdocCmdContext& context,`
`773`	`773`
`774`	`774`	`size_t offset = 0;`
`775`	`775`	`for (auto& loc : op->result.newdoc()) {`
`776`		`- std::memcpy(temp.get() + offset, loc.at, loc.length);`
	`776`	`+ std::copy(loc.at, loc.at + loc.length, temp.get() + offset);`
`777`	`777`	`offset += loc.length;`
`778`	`778`	`}`
`779`	`779`