From 4ad4ffd6f5ae477d276f5a86162b2f2799360ffa Mon Sep 17 00:00:00 2001 From: Ganlin Zhao Date: Mon, 25 Jul 2022 20:40:58 +0800 Subject: [PATCH] fix(query): fix apercentile merge function percent parameter not reserved cause crash_gen report invalid read TD-17795 --- source/libs/function/src/builtins.c | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/source/libs/function/src/builtins.c b/source/libs/function/src/builtins.c index 324a17320e..e94d6368fd 100644 --- a/source/libs/function/src/builtins.c +++ b/source/libs/function/src/builtins.c @@ -557,11 +557,13 @@ static int32_t translateApercentileImpl(SFunctionNode* pFunc, char* pErrBuf, int pFunc->node.resType = (SDataType){.bytes = getApercentileMaxSize() + VARSTR_HEADER_SIZE, .type = TSDB_DATA_TYPE_BINARY}; } else { - if (1 != numOfParams) { + // original percent param is reserved + if (2 != numOfParams) { return invaildFuncParaNumErrMsg(pErrBuf, len, pFunc->functionName); } uint8_t para1Type = ((SExprNode*)nodesListGetNode(pFunc->pParameterList, 0))->resType.type; - if (TSDB_DATA_TYPE_BINARY != para1Type) { + uint8_t para2Type = ((SExprNode*)nodesListGetNode(pFunc->pParameterList, 1))->resType.type; + if (TSDB_DATA_TYPE_BINARY != para1Type || !IS_INTEGER_TYPE(para2Type)) { return invaildFuncParaTypeErrMsg(pErrBuf, len, pFunc->functionName); } @@ -621,7 +623,7 @@ static int32_t translateTopBot(SFunctionNode* pFunc, char* pErrBuf, int32_t len) return TSDB_CODE_SUCCESS; } -int32_t topBotCreateMergePara(SNodeList* pRawParameters, SNode* pPartialRes, SNodeList** pParameters) { +static int32_t reserveFirstMergeParam(SNodeList* pRawParameters, SNode* pPartialRes, SNodeList** pParameters) { int32_t code = nodesListMakeAppend(pParameters, pPartialRes); if (TSDB_CODE_SUCCESS == code) { code = nodesListStrictAppend(*pParameters, nodesCloneNode(nodesListGetNode(pRawParameters, 1))); @@ -629,6 +631,14 @@ int32_t topBotCreateMergePara(SNodeList* pRawParameters, SNode* pPartialRes, SNo return TSDB_CODE_SUCCESS; } +int32_t topBotCreateMergeParam(SNodeList* pRawParameters, SNode* pPartialRes, SNodeList** pParameters) { + return reserveFirstMergeParam(pRawParameters, pPartialRes, pParameters); +} + +int32_t apercentileCreateMergeParam(SNodeList* pRawParameters, SNode* pPartialRes, SNodeList** pParameters) { + return reserveFirstMergeParam(pRawParameters, pPartialRes, pParameters); +} + static int32_t translateSpread(SFunctionNode* pFunc, char* pErrBuf, int32_t len) { if (1 != LIST_LENGTH(pFunc->pParameterList)) { return invaildFuncParaNumErrMsg(pErrBuf, len, pFunc->functionName); @@ -2068,7 +2078,8 @@ const SBuiltinFuncDefinition funcMgtBuiltins[] = { .invertFunc = NULL, .combineFunc = apercentileCombine, .pPartialFunc = "_apercentile_partial", - .pMergeFunc = "_apercentile_merge" + .pMergeFunc = "_apercentile_merge", + .createMergeParaFuc = apercentileCreateMergeParam }, { .name = "_apercentile_partial", @@ -2107,7 +2118,7 @@ const SBuiltinFuncDefinition funcMgtBuiltins[] = { .combineFunc = topCombine, .pPartialFunc = "top", .pMergeFunc = "top", - .createMergeParaFuc = topBotCreateMergePara + .createMergeParaFuc = topBotCreateMergeParam }, { .name = "bottom", @@ -2122,7 +2133,7 @@ const SBuiltinFuncDefinition funcMgtBuiltins[] = { .combineFunc = bottomCombine, .pPartialFunc = "bottom", .pMergeFunc = "bottom", - .createMergeParaFuc = topBotCreateMergePara + .createMergeParaFuc = topBotCreateMergeParam }, { .name = "spread",