_mongocrypt_buffer_copy_from_data_and_size(buf, data, len) permits len == 0u as long as data != NULL, such as in _mc_FLE2UnindexedEncryptedValueCommon_parse when mc_reader_get_remaining_length returns 0u.

Invoking bson_malloc(0u) returns a NULL pointer which is immediately passed to memcpy(s1, s2, n) as s1, which may trigger the following UBSAN error:

./src/mongocrypt-buffer.c:498:12: runtime error: null pointer passed as argument 1, which is declared to never be null
/usr/include/string.h:44:28: note: nonnull attribute specified here
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ./src/mongocrypt-buffer.c:498:12 in

The undefined behavior is specified as the following:

Where an argument declared as size_t n specifies the length of the array for a function, n can have the value zero on a call to that function. Unless explicitly stated otherwise in the description of a particular function in this subclause, pointer arguments on such a call shall still have valid values, as described in 7.1.4.

where in 7.1.4 it states:

If an argument to a function has an invalid value (such as [...] a null pointer [...]) the behavior is undefined.

The specification for memcpy does not explicitly state any exceptions, thus passing NULL as s1 is considered UB.