From 09463cb43ee807d432972e0eab8af1f67d6b92c2 Mon Sep 17 00:00:00 2001
From: shenglian zhou <shenglian_zhou@163.com>
Date: Mon, 28 Aug 2023 11:25:16 +0800
Subject: [PATCH 1/2] enhance: fix buffer size overflow

---
 source/libs/scalar/src/sclfunc.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/source/libs/scalar/src/sclfunc.c b/source/libs/scalar/src/sclfunc.c
index b9af716929..7a19fda08e 100644
--- a/source/libs/scalar/src/sclfunc.c
+++ b/source/libs/scalar/src/sclfunc.c
@@ -654,8 +654,12 @@ int32_t substrFunction(SScalarParam *pInput, int32_t inputNum, SScalarParam *pOu
   SColumnInfoData *pInputData = pInput->columnData;
   SColumnInfoData *pOutputData = pOutput->columnData;
 
-  int32_t outputLen = pInputData->varmeta.length * pInput->numOfRows;
+  uint32_t outputLen = pInputData->varmeta.length;
   char   *outputBuf = taosMemoryCalloc(outputLen, 1);
+  if (outputBuf == NULL) {
+    qError("memory allocation failure. size: %u", outputLen);
+    return TSDB_CODE_OUT_OF_MEMORY;
+  }
   char   *output = outputBuf;
 
   for (int32_t i = 0; i < pInput->numOfRows; ++i) {

From 322e8c66975201ea01de18dd0f0624eb43b89551 Mon Sep 17 00:00:00 2001
From: shenglian zhou <shenglian_zhou@163.com>
Date: Mon, 28 Aug 2023 13:43:37 +0800
Subject: [PATCH 2/2] fix: use col cell size instead of total col data size

---
 source/libs/scalar/src/sclfunc.c | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/source/libs/scalar/src/sclfunc.c b/source/libs/scalar/src/sclfunc.c
index 7a19fda08e..1b7559a207 100644
--- a/source/libs/scalar/src/sclfunc.c
+++ b/source/libs/scalar/src/sclfunc.c
@@ -654,13 +654,12 @@ int32_t substrFunction(SScalarParam *pInput, int32_t inputNum, SScalarParam *pOu
   SColumnInfoData *pInputData = pInput->columnData;
   SColumnInfoData *pOutputData = pOutput->columnData;
 
-  uint32_t outputLen = pInputData->varmeta.length;
-  char   *outputBuf = taosMemoryCalloc(outputLen, 1);
+  int32_t outputLen = pInputData->info.bytes;
+  char *outputBuf = taosMemoryMalloc(outputLen);
   if (outputBuf == NULL) {
-    qError("memory allocation failure. size: %u", outputLen);
+    qError("substr function memory allocation failure. size: %d", outputLen);
     return TSDB_CODE_OUT_OF_MEMORY;
   }
-  char   *output = outputBuf;
 
   for (int32_t i = 0; i < pInput->numOfRows; ++i) {
     if (colDataIsNull_s(pInputData, i)) {
@@ -680,14 +679,16 @@ int32_t substrFunction(SScalarParam *pInput, int32_t inputNum, SScalarParam *pOu
       startPosBytes = TMAX(startPosBytes, 0);
     }
 
+    char   *output = outputBuf;
     int32_t resLen = TMIN(subLen, len - startPosBytes);
     if (resLen > 0) {
       memcpy(varDataVal(output), varDataVal(input) + startPosBytes, resLen);
+      varDataSetLen(output, resLen);
+    } else {
+      varDataSetLen(output, 0);
     }
 
-    varDataSetLen(output, resLen);
     colDataSetVal(pOutputData, i, output, false);
-    output += varDataTLen(output);
   }
 
   pOutput->numOfRows = pInput->numOfRows;