From 08e3d827d3b3433f89d3e009c39f99e6a4fb6cbc Mon Sep 17 00:00:00 2001 From: obdev Date: Thu, 8 Feb 2024 14:57:04 +0000 Subject: [PATCH] [CP] fix: core dump cause by properties_name buffer use after free --- src/observer/table/ob_table_query_common.cpp | 4 ++-- src/observer/table/ob_table_query_sync_processor.cpp | 2 +- src/share/table/ob_table.cpp | 6 ++++-- src/share/table/ob_table.h | 1 + 4 files changed, 8 insertions(+), 5 deletions(-) diff --git a/src/observer/table/ob_table_query_common.cpp b/src/observer/table/ob_table_query_common.cpp index baefe0a4cc..11710fddfe 100644 --- a/src/observer/table/ob_table_query_common.cpp +++ b/src/observer/table/ob_table_query_common.cpp @@ -68,8 +68,8 @@ int ObTableQueryUtils::generate_query_result_iterator(ObIAllocator &allocator, bool has_filter = (query.get_htable_filter().is_valid() || query.get_filter_string().length() > 0); const ObString &kv_attributes = tb_ctx.get_table_schema()->get_kv_attributes(); - if (OB_FAIL(one_result.assign_property_names(tb_ctx.get_query_col_names()))) { - LOG_WARN("fail to assign property names to one result", K(ret), K(tb_ctx)); + if (OB_FAIL(one_result.deep_copy_property_names(tb_ctx.get_query_col_names()))) { + LOG_WARN("fail to deep copy property names to one result", K(ret), K(tb_ctx)); } else if (has_filter) { if (is_hkv) { ObHTableFilterOperator *htable_result_iter = nullptr; diff --git a/src/observer/table/ob_table_query_sync_processor.cpp b/src/observer/table/ob_table_query_sync_processor.cpp index 0d47cc5db8..4f2f980d37 100644 --- a/src/observer/table/ob_table_query_sync_processor.cpp +++ b/src/observer/table/ob_table_query_sync_processor.cpp @@ -542,7 +542,7 @@ int ObTableQuerySyncP::query_scan_without_init() if (OB_ISNULL(result_iter)) { ret = OB_ERR_NULL_VALUE; LOG_WARN("unexpected null result iterator", K(ret)); - } else if (OB_FAIL(result_.assign_property_names(tb_ctx.get_query_col_names()))) { + } else if (OB_FAIL(result_.deep_copy_property_names(tb_ctx.get_query_col_names()))) { LOG_WARN("fail to assign property names to one result", K(ret), K(tb_ctx)); } else { ObTableQueryResult *query_result = nullptr; diff --git a/src/share/table/ob_table.cpp b/src/share/table/ob_table.cpp index 60bba37613..20704ec525 100644 --- a/src/share/table/ob_table.cpp +++ b/src/share/table/ob_table.cpp @@ -1313,7 +1313,8 @@ OB_SERIALIZE_MEMBER_IF(ObHTableFilter, //////////////////////////////////////////////////////////////// ObTableQueryResult::ObTableQueryResult() :row_count_(0), - allocator_(ObModIds::TABLE_PROC), + allocator_(ObModIds::TABLE_PROC, OB_MALLOC_NORMAL_BLOCK_SIZE, MTL_ID()), + prop_name_allocator_(ObModIds::TABLE_PROC, OB_MALLOC_NORMAL_BLOCK_SIZE, MTL_ID()), fixed_result_size_(0), curr_idx_(0) { @@ -1333,6 +1334,7 @@ void ObTableQueryResult::reset() { properties_names_.reset(); reset_except_property(); + prop_name_allocator_.reset(); } void ObTableQueryResult::rewind() @@ -1415,7 +1417,7 @@ int ObTableQueryResult::deep_copy_property_names(const ObIArray &other } for (int64_t i = 0; OB_SUCC(ret) && i < other.count(); i++) { - if (OB_FAIL(ob_write_string(allocator_, other.at(i), properties_names_.at(i)))) { + if (OB_FAIL(ob_write_string(prop_name_allocator_, other.at(i), properties_names_.at(i)))) { LOG_WARN("failed to write string", K(ret), K(other.at(i))); } } diff --git a/src/share/table/ob_table.h b/src/share/table/ob_table.h index 5226354250..296926f320 100644 --- a/src/share/table/ob_table.h +++ b/src/share/table/ob_table.h @@ -873,6 +873,7 @@ private: int64_t row_count_; // serialize common::ObDataBuffer buf_; // serialize common::ObArenaAllocator allocator_; + common::ObArenaAllocator prop_name_allocator_; int64_t fixed_result_size_; // for deserialize and read int64_t curr_idx_;