From 1279ba1a65b15a90c5605b4f7a67ad005412687a Mon Sep 17 00:00:00 2001 From: kailixu Date: Sat, 21 Sep 2024 08:28:15 +0800 Subject: [PATCH] fix: column length check for stmt insert --- source/common/src/tdataformat.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/source/common/src/tdataformat.c b/source/common/src/tdataformat.c index 636df804ce..cc4a0b759d 100644 --- a/source/common/src/tdataformat.c +++ b/source/common/src/tdataformat.c @@ -129,8 +129,6 @@ static FORCE_INLINE int32_t tRowBuildScanAddValue(SRowBuildScanInfo *sinfo, SCol sinfo->kvMaxOffset = sinfo->kvPayloadSize; if (IS_VAR_DATA_TYPE(colVal->value.type)) { - if (colVal->value.nData > (pTColumn->bytes - VARSTR_HEADER_SIZE)) return TSDB_CODE_INVALID_PARA; - sinfo->tupleVarSize += tPutU32v(NULL, colVal->value.nData) // size + colVal->value.nData; // value @@ -484,6 +482,10 @@ int32_t tRowBuildFromBind(SBindInfo *infos, int32_t numOfInfos, bool infoSorted, }; if (IS_VAR_DATA_TYPE(infos[iInfo].type)) { value.nData = infos[iInfo].bind->length[iRow]; + if (value.nData > pTSchema->columns[iInfo].bytes - VARSTR_HEADER_SIZE) { + code = TSDB_CODE_INVALID_PARA; + goto _exit; + } value.pData = (uint8_t *)infos[iInfo].bind->buffer + infos[iInfo].bind->buffer_length * iRow; } else { (void)memcpy(&value.val, (uint8_t *)infos[iInfo].bind->buffer + infos[iInfo].bind->buffer_length * iRow, @@ -3282,6 +3284,10 @@ int32_t tRowBuildFromBind2(SBindInfo2 *infos, int32_t numOfInfos, bool infoSorte int32_t length = infos[iInfo].bind->length[iRow]; uint8_t **data = &((uint8_t **)TARRAY_DATA(bufArray))[iInfo]; value.nData = length; + if (value.nData > pTSchema->columns[iInfo].bytes - VARSTR_HEADER_SIZE) { + code = TSDB_CODE_INVALID_PARA; + goto _exit; + } value.pData = *data; *data += length; // value.pData = (uint8_t *)infos[iInfo].bind->buffer + infos[iInfo].bind->buffer_length * iRow;