From 42f2369732297ec1341efd7bacf8de1d3c6e8f8e Mon Sep 17 00:00:00 2001
From: Dave Rigby <daver@couchbase.com>
Date: Fri, 4 May 2018 16:04:33 +0100
Subject: [PATCH] MB-29527: subdoc: Avoid undefined behaviour in
 operate_single_doc()

As identified by UBSan, if a sub-document operation results in a
zero-length result (which is valid); the current implementation passes
a null pointer to memcpy, which is undefined behaviour:

    [ RUN      ] TransportProtocols/XattrTest.SetXattrAndDeleteBasic/Mcbp_XattrYes_JsonYes_SnappyYes
    runtime error: null pointer passed as argument 2, which is declared to never be null
    #0 0xd32951 in operate_single_doc kv_engine/daemon/subdocument.cc:776
    #1 0xd3522d in do_body_phase kv_engine/daemon/subdocument.cc:1136
    #2 0xd3522d in subdoc_operate kv_engine/daemon/subdocument.cc:1183
    #3 0xd3522d in subdoc_executor kv_engine/daemon/subdocument.cc:431

Fix by using std::copy instead.

Change-Id: Ia5e4d7f76fd57a81c62b930ded7b85dd31a1ae24
Reviewed-on: http://review.couchbase.org/93766
Tested-by: Build Bot <build@couchbase.com>
Reviewed-by: Trond Norbye <trond.norbye@gmail.com>
---
 daemon/subdocument.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/daemon/subdocument.cc b/daemon/subdocument.cc
index 56c63d54a7..068ab9dd50 100644
--- a/daemon/subdocument.cc
+++ b/daemon/subdocument.cc
@@ -773,7 +773,7 @@ static bool operate_single_doc(SubdocCmdContext& context,
 
                 size_t offset = 0;
                 for (auto& loc : op->result.newdoc()) {
-                    std::memcpy(temp.get() + offset, loc.at, loc.length);
+                    std::copy(loc.at, loc.at + loc.length, temp.get() + offset);
                     offset += loc.length;
                 }