From ca6f6511f2d0ee7cdf9fc694768220be2daaf4d9 Mon Sep 17 00:00:00 2001
From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
Date: Tue, 1 Nov 2016 23:54:21 +0900
Subject: [PATCH] Avoid memcpy against NULL src

---
 lib/nghttp2_frame.c  | 8 ++++++--
 lib/nghttp2_helper.c | 4 ++++
 lib/nghttp2_rcbuf.c  | 5 ++---
 3 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/lib/nghttp2_frame.c b/lib/nghttp2_frame.c
index 5079dfd4..85f26915 100644
--- a/lib/nghttp2_frame.c
+++ b/lib/nghttp2_frame.c
@@ -869,7 +869,9 @@ int nghttp2_nv_array_copy(nghttp2_nv **nva_ptr, const nghttp2_nv *nva,
       p->name = nva[i].name;
       p->namelen = nva[i].namelen;
     } else {
-      memcpy(data, nva[i].name, nva[i].namelen);
+      if (nva[i].namelen) {
+        memcpy(data, nva[i].name, nva[i].namelen);
+      }
       p->name = data;
       p->namelen = nva[i].namelen;
       data[p->namelen] = '\0';
@@ -881,7 +883,9 @@ int nghttp2_nv_array_copy(nghttp2_nv **nva_ptr, const nghttp2_nv *nva,
       p->value = nva[i].value;
       p->valuelen = nva[i].valuelen;
     } else {
-      memcpy(data, nva[i].value, nva[i].valuelen);
+      if (nva[i].valuelen) {
+        memcpy(data, nva[i].value, nva[i].valuelen);
+      }
       p->value = data;
       p->valuelen = nva[i].valuelen;
       data[p->valuelen] = '\0';
diff --git a/lib/nghttp2_helper.c b/lib/nghttp2_helper.c
index 5173ba7b..b00c9073 100644
--- a/lib/nghttp2_helper.c
+++ b/lib/nghttp2_helper.c
@@ -503,6 +503,10 @@ int nghttp2_check_header_value(const uint8_t *value, size_t len) {
 }
 
 uint8_t *nghttp2_cpymem(uint8_t *dest, const void *src, size_t len) {
+  if (len == 0) {
+    return dest;
+  }
+
   memcpy(dest, src, len);
 
   return dest + len;
diff --git a/lib/nghttp2_rcbuf.c b/lib/nghttp2_rcbuf.c
index 053f0dfa..24f561af 100644
--- a/lib/nghttp2_rcbuf.c
+++ b/lib/nghttp2_rcbuf.c
@@ -28,6 +28,7 @@
 #include <assert.h>
 
 #include "nghttp2_mem.h"
+#include "nghttp2_helper.h"
 
 int nghttp2_rcbuf_new(nghttp2_rcbuf **rcbuf_ptr, size_t size,
                       nghttp2_mem *mem) {
@@ -58,10 +59,8 @@ int nghttp2_rcbuf_new2(nghttp2_rcbuf **rcbuf_ptr, const uint8_t *src,
     return rv;
   }
 
-  memcpy((*rcbuf_ptr)->base, src, srclen);
-
   (*rcbuf_ptr)->len = srclen;
-  (*rcbuf_ptr)->base[srclen] = '\0';
+  *nghttp2_cpymem((*rcbuf_ptr)->base, src, srclen) = '\0';
 
   return 0;
 }