From e9f61672c2a8c1f7ddbfece76644f8edc27fcf79 Mon Sep 17 00:00:00 2001
From: kailixu <klxu@taosdata.com>
Date: Fri, 20 Sep 2024 18:40:59 +0800
Subject: [PATCH 1/4] fix: column length check for stmt insert

---
 source/common/src/tdataformat.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/source/common/src/tdataformat.c b/source/common/src/tdataformat.c
index 4b44e4af43..87fcf036dc 100644
--- a/source/common/src/tdataformat.c
+++ b/source/common/src/tdataformat.c
@@ -115,7 +115,7 @@ static FORCE_INLINE int32_t tRowBuildScanAddNull(SRowBuildScanInfo *sinfo, const
   return 0;
 }
 
-static FORCE_INLINE void tRowBuildScanAddValue(SRowBuildScanInfo *sinfo, SColVal *colVal, const STColumn *pTColumn) {
+static FORCE_INLINE int32_t tRowBuildScanAddValue(SRowBuildScanInfo *sinfo, SColVal *colVal, const STColumn *pTColumn) {
   bool isPK = ((pTColumn->flags & COL_IS_KEY) != 0);
 
   if (isPK) {
@@ -129,6 +129,8 @@ static FORCE_INLINE void tRowBuildScanAddValue(SRowBuildScanInfo *sinfo, SColVal
 
   sinfo->kvMaxOffset = sinfo->kvPayloadSize;
   if (IS_VAR_DATA_TYPE(colVal->value.type)) {
+    if (colVal->value.nData > pTColumn->bytes) return TSDB_CODE_INVALID_PARA;
+
     sinfo->tupleVarSize += tPutU32v(NULL, colVal->value.nData)  // size
                            + colVal->value.nData;               // value
 
@@ -140,6 +142,7 @@ static FORCE_INLINE void tRowBuildScanAddValue(SRowBuildScanInfo *sinfo, SColVal
                             + tDataTypes[colVal->value.type].bytes;  // value
   }
   sinfo->numOfValue++;
+  return 0;
 }
 
 static int32_t tRowBuildScan(SArray *colVals, const STSchema *schema, SRowBuildScanInfo *sinfo) {
@@ -177,7 +180,7 @@ static int32_t tRowBuildScan(SArray *colVals, const STSchema *schema, SRowBuildS
         }
 
         if (COL_VAL_IS_VALUE(&colValArray[colValIndex])) {
-          tRowBuildScanAddValue(sinfo, &colValArray[colValIndex], schema->columns + i);
+          if ((code = tRowBuildScanAddValue(sinfo, &colValArray[colValIndex], schema->columns + i))) goto _exit;
         } else if (COL_VAL_IS_NULL(&colValArray[colValIndex])) {
           if ((code = tRowBuildScanAddNull(sinfo, schema->columns + i))) goto _exit;
         } else if (COL_VAL_IS_NONE(&colValArray[colValIndex])) {

From 585410f5a0ed081710f41b5af81e579a74d29c4c Mon Sep 17 00:00:00 2001
From: kailixu <klxu@taosdata.com>
Date: Fri, 20 Sep 2024 19:01:08 +0800
Subject: [PATCH 2/4] fix: column length check for stmt insert

---
 source/common/src/tdataformat.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source/common/src/tdataformat.c b/source/common/src/tdataformat.c
index 87fcf036dc..636df804ce 100644
--- a/source/common/src/tdataformat.c
+++ b/source/common/src/tdataformat.c
@@ -129,7 +129,7 @@ static FORCE_INLINE int32_t tRowBuildScanAddValue(SRowBuildScanInfo *sinfo, SCol
 
   sinfo->kvMaxOffset = sinfo->kvPayloadSize;
   if (IS_VAR_DATA_TYPE(colVal->value.type)) {
-    if (colVal->value.nData > pTColumn->bytes) return TSDB_CODE_INVALID_PARA;
+    if (colVal->value.nData > (pTColumn->bytes - VARSTR_HEADER_SIZE)) return TSDB_CODE_INVALID_PARA;
 
     sinfo->tupleVarSize += tPutU32v(NULL, colVal->value.nData)  // size
                            + colVal->value.nData;               // value

From 1279ba1a65b15a90c5605b4f7a67ad005412687a Mon Sep 17 00:00:00 2001
From: kailixu <klxu@taosdata.com>
Date: Sat, 21 Sep 2024 08:28:15 +0800
Subject: [PATCH 3/4] fix: column length check for stmt insert

---
 source/common/src/tdataformat.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/source/common/src/tdataformat.c b/source/common/src/tdataformat.c
index 636df804ce..cc4a0b759d 100644
--- a/source/common/src/tdataformat.c
+++ b/source/common/src/tdataformat.c
@@ -129,8 +129,6 @@ static FORCE_INLINE int32_t tRowBuildScanAddValue(SRowBuildScanInfo *sinfo, SCol
 
   sinfo->kvMaxOffset = sinfo->kvPayloadSize;
   if (IS_VAR_DATA_TYPE(colVal->value.type)) {
-    if (colVal->value.nData > (pTColumn->bytes - VARSTR_HEADER_SIZE)) return TSDB_CODE_INVALID_PARA;
-
     sinfo->tupleVarSize += tPutU32v(NULL, colVal->value.nData)  // size
                            + colVal->value.nData;               // value
 
@@ -484,6 +482,10 @@ int32_t tRowBuildFromBind(SBindInfo *infos, int32_t numOfInfos, bool infoSorted,
         };
         if (IS_VAR_DATA_TYPE(infos[iInfo].type)) {
           value.nData = infos[iInfo].bind->length[iRow];
+          if (value.nData > pTSchema->columns[iInfo].bytes - VARSTR_HEADER_SIZE) {
+            code = TSDB_CODE_INVALID_PARA;
+            goto _exit;
+          }
           value.pData = (uint8_t *)infos[iInfo].bind->buffer + infos[iInfo].bind->buffer_length * iRow;
         } else {
           (void)memcpy(&value.val, (uint8_t *)infos[iInfo].bind->buffer + infos[iInfo].bind->buffer_length * iRow,
@@ -3282,6 +3284,10 @@ int32_t tRowBuildFromBind2(SBindInfo2 *infos, int32_t numOfInfos, bool infoSorte
           int32_t   length = infos[iInfo].bind->length[iRow];
           uint8_t **data = &((uint8_t **)TARRAY_DATA(bufArray))[iInfo];
           value.nData = length;
+          if (value.nData > pTSchema->columns[iInfo].bytes - VARSTR_HEADER_SIZE) {
+            code = TSDB_CODE_INVALID_PARA;
+            goto _exit;
+          }
           value.pData = *data;
           *data += length;
           // value.pData = (uint8_t *)infos[iInfo].bind->buffer + infos[iInfo].bind->buffer_length * iRow;

From aa6c9bc0a7823155546a4e3e61746b6a22a279f4 Mon Sep 17 00:00:00 2001
From: kailixu <klxu@taosdata.com>
Date: Sat, 21 Sep 2024 08:32:13 +0800
Subject: [PATCH 4/4] fix: column length check for stmt insert

---
 source/common/src/tdataformat.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/source/common/src/tdataformat.c b/source/common/src/tdataformat.c
index cc4a0b759d..0ef254f7b7 100644
--- a/source/common/src/tdataformat.c
+++ b/source/common/src/tdataformat.c
@@ -115,7 +115,7 @@ static FORCE_INLINE int32_t tRowBuildScanAddNull(SRowBuildScanInfo *sinfo, const
   return 0;
 }
 
-static FORCE_INLINE int32_t tRowBuildScanAddValue(SRowBuildScanInfo *sinfo, SColVal *colVal, const STColumn *pTColumn) {
+static FORCE_INLINE void tRowBuildScanAddValue(SRowBuildScanInfo *sinfo, SColVal *colVal, const STColumn *pTColumn) {
   bool isPK = ((pTColumn->flags & COL_IS_KEY) != 0);
 
   if (isPK) {
@@ -140,7 +140,6 @@ static FORCE_INLINE int32_t tRowBuildScanAddValue(SRowBuildScanInfo *sinfo, SCol
                             + tDataTypes[colVal->value.type].bytes;  // value
   }
   sinfo->numOfValue++;
-  return 0;
 }
 
 static int32_t tRowBuildScan(SArray *colVals, const STSchema *schema, SRowBuildScanInfo *sinfo) {
@@ -178,7 +177,7 @@ static int32_t tRowBuildScan(SArray *colVals, const STSchema *schema, SRowBuildS
         }
 
         if (COL_VAL_IS_VALUE(&colValArray[colValIndex])) {
-          if ((code = tRowBuildScanAddValue(sinfo, &colValArray[colValIndex], schema->columns + i))) goto _exit;
+          tRowBuildScanAddValue(sinfo, &colValArray[colValIndex], schema->columns + i);
         } else if (COL_VAL_IS_NULL(&colValArray[colValIndex])) {
           if ((code = tRowBuildScanAddNull(sinfo, schema->columns + i))) goto _exit;
         } else if (COL_VAL_IS_NONE(&colValArray[colValIndex])) {