You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@doris.apache.org by mo...@apache.org on 2022/06/19 02:27:43 UTC
[doris] branch master updated: [fix] Fix heap-use-after-free when using type array (#10127)
This is an automated email from the ASF dual-hosted git repository.
morningman pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/doris.git
The following commit(s) were added to refs/heads/master by this push:
new 5fdd995b4c [fix] Fix heap-use-after-free when using type array<string> (#10127)
5fdd995b4c is described below
commit 5fdd995b4cdb4023838c96889b0df4a9f51b6052
Author: Adonis Ling <ad...@gmail.com>
AuthorDate: Sun Jun 19 10:27:36 2022 +0800
[fix] Fix heap-use-after-free when using type array<string> (#10127)
---
be/src/vec/olap/olap_data_convertor.cpp | 47 +++++++++++++++++++++++----------
be/src/vec/olap/olap_data_convertor.h | 29 +++++++++++++++-----
2 files changed, 55 insertions(+), 21 deletions(-)
diff --git a/be/src/vec/olap/olap_data_convertor.cpp b/be/src/vec/olap/olap_data_convertor.cpp
index 604d2a02ec..abfaaef57f 100644
--- a/be/src/vec/olap/olap_data_convertor.cpp
+++ b/be/src/vec/olap/olap_data_convertor.cpp
@@ -17,6 +17,7 @@
#include "vec/olap/olap_data_convertor.h"
+#include "olap/tablet_schema.h"
#include "vec/columns/column_array.h"
#include "vec/columns/column_complex.h"
#include "vec/columns/column_vector.h"
@@ -599,25 +600,50 @@ Status OlapBlockDataConvertor::OlapColumnDataConvertorDecimal::convert_to_olap()
Status OlapBlockDataConvertor::OlapColumnDataConvertorArray::convert_to_olap() {
const ColumnArray* column_array = nullptr;
- const DataTypeArray* data_type_ptr_array = nullptr;
+ const DataTypeArray* data_type_array = nullptr;
if (_nullmap) {
const auto* nullable_column =
assert_cast<const ColumnNullable*>(_typed_column.column.get());
column_array =
assert_cast<const ColumnArray*>(nullable_column->get_nested_column_ptr().get());
- data_type_ptr_array = assert_cast<const DataTypeArray*>(
+ data_type_array = assert_cast<const DataTypeArray*>(
(assert_cast<const DataTypeNullable*>(_typed_column.type.get())->get_nested_type())
.get());
} else {
column_array = assert_cast<const ColumnArray*>(_typed_column.column.get());
- data_type_ptr_array = assert_cast<const DataTypeArray*>(_typed_column.type.get());
+ data_type_array = assert_cast<const DataTypeArray*>(_typed_column.type.get());
}
assert(column_array);
- assert(data_type_ptr_array);
+ assert(data_type_array);
+
+ return convert_to_olap(_nullmap, column_array, data_type_array);
+}
+
+Status OlapBlockDataConvertor::OlapColumnDataConvertorArray::convert_to_olap(
+ const UInt8* null_map, const ColumnArray* column_array,
+ const DataTypeArray* data_type_array) {
+ const UInt8* item_null_map = nullptr;
+ ColumnPtr item_data = column_array->get_data_ptr();
+ if (column_array->get_data().is_nullable()) {
+ const auto& data_nullable_column =
+ assert_cast<const ColumnNullable&>(column_array->get_data());
+ item_null_map = data_nullable_column.get_null_map_data().data();
+ item_data = data_nullable_column.get_nested_column_ptr();
+ }
const auto& offsets = column_array->get_offsets();
+ int64_t start_index = _row_pos - 1;
+ int64_t end_index = _row_pos + _num_rows - 1;
+ auto start = offsets[start_index];
+ auto size = offsets[end_index] - start;
+
+ ColumnWithTypeAndName item_typed_column = {
+ item_data, remove_nullable(data_type_array->get_nested_type()), ""};
+ _item_convertor->set_source_column(item_typed_column, start, size);
+ _item_convertor->convert_to_olap();
+
CollectionValue* collection_value = _values.data();
- for (int i = 0; i < _num_rows; ++i, ++collection_value) {
+ for (size_t i = 0; i < _num_rows; ++i, ++collection_value) {
int64_t cur_pos = _row_pos + i;
int64_t prev_pos = cur_pos - 1;
if (_nullmap && _nullmap[cur_pos]) {
@@ -632,18 +658,11 @@ Status OlapBlockDataConvertor::OlapColumnDataConvertorArray::convert_to_olap() {
}
if (column_array->get_data().is_nullable()) {
- const auto& data_nullable_column =
- assert_cast<const ColumnNullable&>(column_array->get_data());
- const auto* data_null_map = data_nullable_column.get_null_map_data().data();
collection_value->set_has_null(true);
collection_value->set_null_signs(
- const_cast<bool*>(reinterpret_cast<const bool*>(data_null_map + offset)));
+ const_cast<bool*>(reinterpret_cast<const bool*>(item_null_map + offset)));
}
- ColumnWithTypeAndName item_typed_column = {column_array->get_data_ptr(),
- data_type_ptr_array->get_nested_type(), ""};
- _item_convertor->set_source_column(item_typed_column, offset, size);
- _item_convertor->convert_to_olap();
- collection_value->set_data(const_cast<void*>(_item_convertor->get_data()));
+ collection_value->set_data(const_cast<void*>(_item_convertor->get_data_at(offset)));
}
return Status::OK();
}
diff --git a/be/src/vec/olap/olap_data_convertor.h b/be/src/vec/olap/olap_data_convertor.h
index e11fb672b2..2cf0f79dc3 100644
--- a/be/src/vec/olap/olap_data_convertor.h
+++ b/be/src/vec/olap/olap_data_convertor.h
@@ -16,13 +16,25 @@
// under the License.
#pragma once
-#include "olap/tablet_schema.h"
-#include "vec/columns/column.h"
-#include "vec/columns/column_string.h"
-#include "vec/common/string_ref.h"
-#include "vec/core/block.h"
-namespace doris::vectorized {
+#include "olap/types.h"
+#include "runtime/mem_pool.h"
+#include "vec/columns/column_nullable.h"
+#include "vec/core/column_with_type_and_name.h"
+#include "vec/core/types.h"
+
+namespace doris {
+
+class TabletSchema;
+class TabletColumn;
+class MemTracker;
+class Status;
+
+namespace vectorized {
+
+class Block;
+class ColumnArray;
+class DataTypeArray;
class IOlapColumnDataAccessor {
public:
@@ -242,6 +254,8 @@ private:
Status convert_to_olap() override;
private:
+ Status convert_to_olap(const UInt8* null_map, const ColumnArray* column_array,
+ const DataTypeArray* data_type_array);
OlapColumnDataConvertorBaseUPtr _item_convertor;
};
@@ -249,4 +263,5 @@ private:
std::vector<OlapColumnDataConvertorBaseUPtr> _convertors;
};
-} // namespace doris::vectorized
+} // namespace vectorized
+} // namespace doris
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@doris.apache.org
For additional commands, e-mail: commits-help@doris.apache.org