From fbc77d1e71c7f044e6b9c04ed73eff0dffa30469 Mon Sep 17 00:00:00 2001
From: Jinqing Kuang <kuangjinqingcn@gmail.com>
Date: Mon, 25 Nov 2024 14:58:42 +0800
Subject: [PATCH 1/2] fix(query)[TD-33006]. resolve wild pointer release issue
 in tsdbCreateReader

Initialize pointer member variables in tsdbCreateReader to prevent
random memory errors. It addresses a bug where uninitialized pointers
are freed during error cleanup.
---
 source/dnode/vnode/src/tsdb/tsdbRead2.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source/dnode/vnode/src/tsdb/tsdbRead2.c b/source/dnode/vnode/src/tsdb/tsdbRead2.c
index ac8e8505e4..05ae4be74b 100644
--- a/source/dnode/vnode/src/tsdb/tsdbRead2.c
+++ b/source/dnode/vnode/src/tsdb/tsdbRead2.c
@@ -210,7 +210,7 @@ static int32_t setColumnIdSlotList(SBlockLoadSuppInfo* pSupInfo, SColumnInfo* pC
   pSupInfo->smaValid = true;
   pSupInfo->numOfCols = numOfCols;
 
-  pSupInfo->colId = taosMemoryMalloc(numOfCols * (sizeof(int16_t) * 2 + POINTER_BYTES));
+  pSupInfo->colId = taosMemoryCalloc(numOfCols, sizeof(int16_t) * 2 + POINTER_BYTES);
   TSDB_CHECK_NULL(pSupInfo->colId, code, lino, _end, terrno);
 
   pSupInfo->slotId = (int16_t*)((char*)pSupInfo->colId + (sizeof(int16_t) * numOfCols));

From 513ccaaad85d391e6eca0f67ddf3fd5b39685dbe Mon Sep 17 00:00:00 2001
From: Jinqing Kuang <kuangjinqingcn@gmail.com>
Date: Mon, 25 Nov 2024 15:09:11 +0800
Subject: [PATCH 2/2] fix(query)[TD-33008]. fix error handling in tsdbCacheRead

Fix an issue that a freed null pointer was accessed during error
handling in tsdbCacheRead, which would cause a crash.
---
 source/dnode/vnode/src/tsdb/tsdbCacheRead.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/source/dnode/vnode/src/tsdb/tsdbCacheRead.c b/source/dnode/vnode/src/tsdb/tsdbCacheRead.c
index 0f524e22d7..f5aeb609d5 100644
--- a/source/dnode/vnode/src/tsdb/tsdbCacheRead.c
+++ b/source/dnode/vnode/src/tsdb/tsdbCacheRead.c
@@ -346,7 +346,8 @@ int32_t tsdbCacherowsReaderOpen(void* pVnode, int32_t type, void* pTableIdList,
       p->rowKey.pks[0].pData = taosMemoryCalloc(1, pPkCol->bytes);
       if (p->rowKey.pks[0].pData == NULL) {
         taosMemoryFreeClear(p);
-        TSDB_CHECK_NULL(p->rowKey.pks[0].pData, code, lino, _end, terrno);
+        code = terrno;
+        TSDB_CHECK_CODE(code, lino, _end);
       }
     }