Use memmove() in Unicode functions

Where the upstream OpenLDAP code uses AC_MEMCPY(), use memmove()
instead of memcpy() as the copies frequently involve overlapping
memory regions.  Credit to OSS-Fuzz for discovering one instance of
the issue.

ticket: 9076 (new)

diff --git a/src/lib/krb5/unicode/ucdata/ucdata.c b/src/lib/krb5/unicode/ucdata/ucdata.c
index e1b560d961f20b5ddc9619907243aaa3aa85e883..5b6ac7085d35e106e389dc23452c3b84a2366ff6 100644 (file)
--- a/src/lib/krb5/unicode/ucdata/ucdata.c
+++ b/src/lib/krb5/unicode/ucdata/ucdata.c
@@ -958,7 +958,7 @@ uccanoncompatdecomp(const krb5_ui_4 *in, int inlen,
                     for (l = i; l > 0; l--)
                         if (class >= uccombining_class((*out)[l-1]))
                             break;
-                    memcpy(*out + l + 1, *out + l, (i - l) * sizeof(**out));
+                    memmove(*out + l + 1, *out + l, (i - l) * sizeof(**out));
                     (*out)[l] = decomp[k];
                 }
                 i++;
@@ -988,7 +988,7 @@ uccanoncompatdecomp(const krb5_ui_4 *in, int inlen,
                 for (l = i; l > 0; l--)
                     if (class >= uccombining_class((*out)[l-1]))
                         break;
-                memcpy(*out + l + 1, *out + l, (i - l) * sizeof(**out));
+                memmove(*out + l + 1, *out + l, (i - l) * sizeof(**out));
                 (*out)[l] = in[j];
             }
             i++;

diff --git a/src/lib/krb5/unicode/ucdata/ucgendat.c b/src/lib/krb5/unicode/ucdata/ucgendat.c
index 9114e8a702450a1b53cf651f82b58f98a526c252..70cec52d043ba82fcfcdc3b5df27df9ed0d6a5fd 100644 (file)
--- a/src/lib/krb5/unicode/ucdata/ucgendat.c
+++ b/src/lib/krb5/unicode/ucdata/ucgendat.c
@@ -485,8 +485,8 @@ add_decomp(krb5_ui_4 code, short compat)
          * Shift the decomps up by one if the codes don't match.
          */
         for (j = *pdecomps_used; j > i; j--)
-          (void) memcpy((char *) &(*pdecomps)[j], (char *) &(*pdecomps)[j - 1],
-                        sizeof(_decomp_t));
+          (void) memmove((char *) &(*pdecomps)[j], (char *) &(*pdecomps)[j - 1],
+                         sizeof(_decomp_t));
     }
 
     /*
@@ -509,8 +509,8 @@ add_decomp(krb5_ui_4 code, short compat)
 
     (*pdecomps)[i].code = code;
     (*pdecomps)[i].used = dectmp_size;
-    (void) memcpy((char *) (*pdecomps)[i].decomp, (char *) dectmp,
-                  sizeof(krb5_ui_4) * dectmp_size);
+    (void) memmove((char *) (*pdecomps)[i].decomp, (char *) dectmp,
+                   sizeof(krb5_ui_4) * dectmp_size);
 
     /*
      * NOTICE: This needs changing later so it is more general than simply
@@ -549,8 +549,8 @@ add_title(krb5_ui_4 code)
          * Shift the array up by one.
          */
         for (j = title_used; j > i; j--)
-          (void) memcpy((char *) &title[j], (char *) &title[j - 1],
-                        sizeof(_case_t));
+          (void) memmove((char *) &title[j], (char *) &title[j - 1],
+                         sizeof(_case_t));
     }
 
     title[i].key = cases[2];    /* Title */
@@ -596,8 +596,8 @@ add_upper(krb5_ui_4 code)
          * Shift the array up by one.
          */
         for (j = upper_used; j > i; j--)
-          (void) memcpy((char *) &upper[j], (char *) &upper[j - 1],
-                        sizeof(_case_t));
+          (void) memmove((char *) &upper[j], (char *) &upper[j - 1],
+                         sizeof(_case_t));
     }
 
     upper[i].key = cases[0];    /* Upper */
@@ -643,8 +643,8 @@ add_lower(krb5_ui_4 code)
          * Shift the array up by one.
          */
         for (j = lower_used; j > i; j--)
-          (void) memcpy((char *) &lower[j], (char *) &lower[j - 1],
-                        sizeof(_case_t));
+          (void) memmove((char *) &lower[j], (char *) &lower[j - 1],
+                         sizeof(_case_t));
     }
 
     lower[i].key = cases[1];    /* Lower */

diff --git a/src/lib/krb5/unicode/ure/ure.c b/src/lib/krb5/unicode/ure/ure.c
index e6d2b11eab606566ae2404402bed645cac2f86b7..7b30487134a545f1103b1019cb5e274e5e36932a 100644 (file)
--- a/src/lib/krb5/unicode/ure/ure.c
+++ b/src/lib/krb5/unicode/ure/ure.c
@@ -1124,8 +1124,8 @@ _ure_make_symbol(ucs2_t *sym, unsigned long limit, unsigned long *consumed,
     }
 
     symbol.id = b->symtab_used++;
-    (void) memcpy((char *) &b->symtab[symbol.id], (char *) &symbol,
-                  sizeof(_ure_symtab_t));
+    (void) memmove((char *) &b->symtab[symbol.id], (char *) &symbol,
+                   sizeof(_ure_symtab_t));
 
     return symbol.id;
 }
@@ -1358,8 +1358,8 @@ _ure_add_state(ucs2_t nstates, ucs2_t *states, _ure_buffer_t *b)
             sp->st.slist_size = sp->st.slist_used + nstates;
         }
         sp->st.slist_used = nstates;
-        (void) memcpy((char *) sp->st.slist, (char *) states,
-                      sizeof(ucs2_t) * nstates);
+        (void) memmove((char *) sp->st.slist, (char *) states,
+                       sizeof(ucs2_t) * nstates);
     }
 
     /*