Skip to content

Commit

Permalink
MB-29527: subdoc: Avoid undefined behaviour in operate_single_doc()
Browse files Browse the repository at this point in the history
As identified by UBSan, if a sub-document operation results in a
zero-length result (which is valid); the current implementation passes
a null pointer to memcpy, which is undefined behaviour:

    [ RUN      ] TransportProtocols/XattrTest.SetXattrAndDeleteBasic/Mcbp_XattrYes_JsonYes_SnappyYes
    runtime error: null pointer passed as argument 2, which is declared to never be null
    #0 0xd32951 in operate_single_doc kv_engine/daemon/subdocument.cc:776
    couchbase#1 0xd3522d in do_body_phase kv_engine/daemon/subdocument.cc:1136
    couchbase#2 0xd3522d in subdoc_operate kv_engine/daemon/subdocument.cc:1183
    couchbase#3 0xd3522d in subdoc_executor kv_engine/daemon/subdocument.cc:431

Fix by using std::copy instead.

Change-Id: Ia5e4d7f76fd57a81c62b930ded7b85dd31a1ae24
Reviewed-on: http://review.couchbase.org/93766
Tested-by: Build Bot <[email protected]>
Reviewed-by: Trond Norbye <[email protected]>
  • Loading branch information
daverigby authored and trondn committed May 4, 2018
1 parent 7343e0d commit 42f2369
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion daemon/subdocument.cc
Original file line number Diff line number Diff line change
Expand Up @@ -773,7 +773,7 @@ static bool operate_single_doc(SubdocCmdContext& context,

size_t offset = 0;
for (auto& loc : op->result.newdoc()) {
std::memcpy(temp.get() + offset, loc.at, loc.length);
std::copy(loc.at, loc.at + loc.length, temp.get() + offset);
offset += loc.length;
}

Expand Down

0 comments on commit 42f2369

Please sign in to comment.