Skip to content

Commit

Permalink
fix: heap buffer overflow found by memory check
Browse files Browse the repository at this point in the history
  • Loading branch information
@haolinw
haolinw committed Dec 18, 2024
1 parent 033808e commit 1f9e943
Showing 1 changed file with 7 additions and 3 deletions.
10 changes: 7 additions & 3 deletions source/dnode/vnode/src/tsdb/tsdbCacheRead.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -161,10 +161,14 @@ static int32_t saveOneRow(SArray* pRow, SSDataBlock* pBlock, SCacheRowsReader* p
// allNullRow = p->isNull & allNullRow;
if (!p->isNull) {
if (IS_VAR_DATA_TYPE(pColVal->colVal.value.type)) {
varDataSetLen(p->buf, pColVal->colVal.value.nData);
int32_t pkBufLen = (pReader->rowKey.numOfPKs > 0) ? pReader->pkColumn.bytes : 0;
int32_t bytes = (slotId == -1) ? 1 : pReader->pSchema->columns[slotId].bytes;
uint32_t allocDataLen = bytes + pkBufLen;
uint32_t len = (allocDataLen < pColVal->colVal.value.nData ? allocDataLen : pColVal->colVal.value.nData);

memcpy(varDataVal(p->buf), pColVal->colVal.value.pData, pColVal->colVal.value.nData);
p->bytes = pColVal->colVal.value.nData + VARSTR_HEADER_SIZE; // binary needs to plus the header size
varDataSetLen(p->buf, pColVal->colVal.value.nData);
memcpy(varDataVal(p->buf), pColVal->colVal.value.pData, len);
p->bytes = len + VARSTR_HEADER_SIZE; // binary needs to plus the header size
} else {
memcpy(p->buf, &pColVal->colVal.value.val, pReader->pSchema->columns[slotId].bytes);
p->bytes = pReader->pSchema->columns[slotId].bytes;
Expand Down

0 comments on commit 1f9e943

Please sign in to comment.