[CP] Fix core caused by out-of-bounds access to the question mark name array

src/sql/parser/parse_node.c

@@ -567,6 +567,12 @@ int64_t get_question_mark(ObQuestionMarkCtx* ctx, void* malloc_pool, const char*
   if (OB_UNLIKELY(NULL == ctx || NULL == name)) {
     (void)fprintf(stderr, "ERROR question mark ctx or name is NULL\n");
   } else {
+    if (NULL == ctx->name_ && 0 == ctx->capacity_) {
+      ctx->capacity_ = MAX_QUESTION_MARK;
+      // the errocde will be ignored here. TO BE FIXED.
+      ctx->name_ = (char **)parse_malloc(sizeof(char*) * MAX_QUESTION_MARK, malloc_pool);
+    }
+    if (ctx->name_ != NULL) {
       bool valid_name = true;
       for (int64_t i = 0; valid_name && -1 == idx && i < ctx->count_; ++i) {
         if (NULL == ctx->name_[i]) {
@@ -577,11 +583,27 @@ int64_t get_question_mark(ObQuestionMarkCtx* ctx, void* malloc_pool, const char*
         }
       }
       if (-1 == idx && valid_name) {
+        if (ctx->count_ >= ctx->capacity_) {
+          void *buf = parse_malloc(sizeof(char*) * (ctx->capacity_ * 2), malloc_pool);
+          if (OB_UNLIKELY(NULL == buf)) {
+            ctx->name_ = NULL;
+            (void)printf("ERROR malloc memory failed\n");
+          } else {
+            MEMCPY(buf, ctx->name_, sizeof(char*) * ctx->capacity_);
+            ctx->capacity_ *= 2;
+            ctx->name_ = (char **)buf;
+          }
+        }
+        if (ctx->name_ != NULL) {
           int64_t len = 0;
           ctx->name_[ctx->count_] = parse_strdup(name, malloc_pool, &len);
           idx = ctx->count_++;
         }
       }
+    } else {
+      (void)fprintf(stderr, "ERROR question mark name buffer is null\n");
+    }
+  }
   return idx;
 }
 

src/sql/parser/parse_node.h

@@ -178,9 +178,11 @@ typedef struct _PLParseInfo {
 
 #define MAX_QUESTION_MARK 128
 
-typedef struct _ObQuestionMarkCtx {
-  char* name_[MAX_QUESTION_MARK];
+typedef struct _ObQuestionMarkCtx
+{
+  char **name_;
   int count_;
+  int capacity_;
   bool by_ordinal_;
   bool by_name_;
 } ObQuestionMarkCtx;

src/sql/parser/sql_parser_base.c

@@ -64,6 +64,8 @@ int parse_reset(ParseResult* p)
     p->question_mark_ctx_.count_ = 0;
     p->question_mark_ctx_.by_ordinal_ = false;
     p->question_mark_ctx_.by_name_ = false;
+    p->question_mark_ctx_.name_ = NULL;
+    p->question_mark_ctx_.capacity_ = 0;
     p->sql_mode_ = 0;
 
     p->has_encount_comment_ = false;