[CP] fix: core dump cause by properties_name buffer use after free

2024-02-08 14:57:04 +00:00
parent 2e200bc613
commit 08e3d827d3
4 changed files with 8 additions and 5 deletions
--- a/src/observer/table/ob_table_query_common.cpp
+++ b/src/observer/table/ob_table_query_common.cpp
@ -68,8 +68,8 @@ int ObTableQueryUtils::generate_query_result_iterator(ObIAllocator &allocator,
  bool has_filter = (query.get_htable_filter().is_valid() || query.get_filter_string().length() > 0);
  const ObString &kv_attributes = tb_ctx.get_table_schema()->get_kv_attributes();

-  if (OB_FAIL(one_result.assign_property_names(tb_ctx.get_query_col_names()))) {
-    LOG_WARN("fail to assign property names to one result", K(ret), K(tb_ctx));
+  if (OB_FAIL(one_result.deep_copy_property_names(tb_ctx.get_query_col_names()))) {
+    LOG_WARN("fail to deep copy property names to one result", K(ret), K(tb_ctx));
  } else if (has_filter) {
    if (is_hkv) {
      ObHTableFilterOperator *htable_result_iter = nullptr;
--- a/src/observer/table/ob_table_query_sync_processor.cpp
+++ b/src/observer/table/ob_table_query_sync_processor.cpp
@ -542,7 +542,7 @@ int ObTableQuerySyncP::query_scan_without_init()
  if (OB_ISNULL(result_iter)) {
    ret = OB_ERR_NULL_VALUE;
    LOG_WARN("unexpected null result iterator", K(ret));
-  } else if (OB_FAIL(result_.assign_property_names(tb_ctx.get_query_col_names()))) {
+  } else if (OB_FAIL(result_.deep_copy_property_names(tb_ctx.get_query_col_names()))) {
    LOG_WARN("fail to assign property names to one result", K(ret), K(tb_ctx));
  } else {
    ObTableQueryResult *query_result = nullptr;
--- a/src/share/table/ob_table.cpp
+++ b/src/share/table/ob_table.cpp
@ -1313,7 +1313,8 @@ OB_SERIALIZE_MEMBER_IF(ObHTableFilter,
 ////////////////////////////////////////////////////////////////
 ObTableQueryResult::ObTableQueryResult()
    :row_count_(0),
-     allocator_(ObModIds::TABLE_PROC),
+     allocator_(ObModIds::TABLE_PROC, OB_MALLOC_NORMAL_BLOCK_SIZE, MTL_ID()),
+     prop_name_allocator_(ObModIds::TABLE_PROC, OB_MALLOC_NORMAL_BLOCK_SIZE, MTL_ID()),
     fixed_result_size_(0),
     curr_idx_(0)
 {
@ -1333,6 +1334,7 @@ void ObTableQueryResult::reset()
 {
  properties_names_.reset();
  reset_except_property();
+  prop_name_allocator_.reset();
 }

 void ObTableQueryResult::rewind()
@ -1415,7 +1417,7 @@ int ObTableQueryResult::deep_copy_property_names(const ObIArray<ObString> &other
  }

  for (int64_t i = 0; OB_SUCC(ret) && i < other.count(); i++) {
-    if (OB_FAIL(ob_write_string(allocator_, other.at(i), properties_names_.at(i)))) {
+    if (OB_FAIL(ob_write_string(prop_name_allocator_, other.at(i), properties_names_.at(i)))) {
      LOG_WARN("failed to write string", K(ret), K(other.at(i)));
    }
  }
--- a/src/share/table/ob_table.h
+++ b/src/share/table/ob_table.h
@ -873,6 +873,7 @@ private:
  int64_t row_count_;                                 // serialize
  common::ObDataBuffer buf_;                          // serialize
  common::ObArenaAllocator allocator_;
+  common::ObArenaAllocator prop_name_allocator_;
  int64_t fixed_result_size_;
  // for deserialize and read
  int64_t curr_idx_;