From 5c52ab2252953055e64d9b9855ad64b27eda060e Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Tue, 18 Oct 2022 16:17:55 -0400
Subject: Use memmove() in Unicode functions

Where the upstream OpenLDAP code uses AC_MEMCPY(), use memmove()
instead of memcpy() as the copies frequently involve overlapping
memory regions.  Credit to OSS-Fuzz for discovering one instance of
the issue.

ticket: 9076 (new)
---
 src/lib/krb5/unicode/ucdata/ucdata.c   |  4 ++--
 src/lib/krb5/unicode/ucdata/ucgendat.c | 20 ++++++++++----------
 src/lib/krb5/unicode/ure/ure.c         |  8 ++++----
 3 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/src/lib/krb5/unicode/ucdata/ucdata.c b/src/lib/krb5/unicode/ucdata/ucdata.c
index e1b560d96..5b6ac7085 100644
--- a/src/lib/krb5/unicode/ucdata/ucdata.c
+++ b/src/lib/krb5/unicode/ucdata/ucdata.c
@@ -958,7 +958,7 @@ uccanoncompatdecomp(const krb5_ui_4 *in, int inlen,
                     for (l = i; l > 0; l--)
                         if (class >= uccombining_class((*out)[l-1]))
                             break;
-                    memcpy(*out + l + 1, *out + l, (i - l) * sizeof(**out));
+                    memmove(*out + l + 1, *out + l, (i - l) * sizeof(**out));
                     (*out)[l] = decomp[k];
                 }
                 i++;
@@ -988,7 +988,7 @@ uccanoncompatdecomp(const krb5_ui_4 *in, int inlen,
                 for (l = i; l > 0; l--)
                     if (class >= uccombining_class((*out)[l-1]))
                         break;
-                memcpy(*out + l + 1, *out + l, (i - l) * sizeof(**out));
+                memmove(*out + l + 1, *out + l, (i - l) * sizeof(**out));
                 (*out)[l] = in[j];
             }
             i++;
diff --git a/src/lib/krb5/unicode/ucdata/ucgendat.c b/src/lib/krb5/unicode/ucdata/ucgendat.c
index 9114e8a70..70cec52d0 100644
--- a/src/lib/krb5/unicode/ucdata/ucgendat.c
+++ b/src/lib/krb5/unicode/ucdata/ucgendat.c
@@ -485,8 +485,8 @@ add_decomp(krb5_ui_4 code, short compat)
          * Shift the decomps up by one if the codes don't match.
          */
         for (j = *pdecomps_used; j > i; j--)
-          (void) memcpy((char *) &(*pdecomps)[j], (char *) &(*pdecomps)[j - 1],
-                        sizeof(_decomp_t));
+          (void) memmove((char *) &(*pdecomps)[j], (char *) &(*pdecomps)[j - 1],
+                         sizeof(_decomp_t));
     }
 
     /*
@@ -509,8 +509,8 @@ add_decomp(krb5_ui_4 code, short compat)
 
     (*pdecomps)[i].code = code;
     (*pdecomps)[i].used = dectmp_size;
-    (void) memcpy((char *) (*pdecomps)[i].decomp, (char *) dectmp,
-                  sizeof(krb5_ui_4) * dectmp_size);
+    (void) memmove((char *) (*pdecomps)[i].decomp, (char *) dectmp,
+                   sizeof(krb5_ui_4) * dectmp_size);
 
     /*
      * NOTICE: This needs changing later so it is more general than simply
@@ -549,8 +549,8 @@ add_title(krb5_ui_4 code)
          * Shift the array up by one.
          */
         for (j = title_used; j > i; j--)
-          (void) memcpy((char *) &title[j], (char *) &title[j - 1],
-                        sizeof(_case_t));
+          (void) memmove((char *) &title[j], (char *) &title[j - 1],
+                         sizeof(_case_t));
     }
 
     title[i].key = cases[2];    /* Title */
@@ -596,8 +596,8 @@ add_upper(krb5_ui_4 code)
          * Shift the array up by one.
          */
         for (j = upper_used; j > i; j--)
-          (void) memcpy((char *) &upper[j], (char *) &upper[j - 1],
-                        sizeof(_case_t));
+          (void) memmove((char *) &upper[j], (char *) &upper[j - 1],
+                         sizeof(_case_t));
     }
 
     upper[i].key = cases[0];    /* Upper */
@@ -643,8 +643,8 @@ add_lower(krb5_ui_4 code)
          * Shift the array up by one.
          */
         for (j = lower_used; j > i; j--)
-          (void) memcpy((char *) &lower[j], (char *) &lower[j - 1],
-                        sizeof(_case_t));
+          (void) memmove((char *) &lower[j], (char *) &lower[j - 1],
+                         sizeof(_case_t));
     }
 
     lower[i].key = cases[1];    /* Lower */
diff --git a/src/lib/krb5/unicode/ure/ure.c b/src/lib/krb5/unicode/ure/ure.c
index e6d2b11ea..7b3048713 100644
--- a/src/lib/krb5/unicode/ure/ure.c
+++ b/src/lib/krb5/unicode/ure/ure.c
@@ -1124,8 +1124,8 @@ _ure_make_symbol(ucs2_t *sym, unsigned long limit, unsigned long *consumed,
     }
 
     symbol.id = b->symtab_used++;
-    (void) memcpy((char *) &b->symtab[symbol.id], (char *) &symbol,
-                  sizeof(_ure_symtab_t));
+    (void) memmove((char *) &b->symtab[symbol.id], (char *) &symbol,
+                   sizeof(_ure_symtab_t));
 
     return symbol.id;
 }
@@ -1358,8 +1358,8 @@ _ure_add_state(ucs2_t nstates, ucs2_t *states, _ure_buffer_t *b)
             sp->st.slist_size = sp->st.slist_used + nstates;
         }
         sp->st.slist_used = nstates;
-        (void) memcpy((char *) sp->st.slist, (char *) states,
-                      sizeof(ucs2_t) * nstates);
+        (void) memmove((char *) sp->st.slist, (char *) states,
+                       sizeof(ucs2_t) * nstates);
     }
 
     /*
-- 
cgit v1.2.1