From eb6b87b3e3609e9d3820a2707126a96d444e9613 Mon Sep 17 00:00:00 2001
From: yihaoDeng <luomoxyz@126.com>
Date: Mon, 13 Jun 2022 14:15:05 +0800
Subject: [PATCH 1/3] fix: invalid read/write

---
 source/libs/index/src/indexFilter.c | 22 ++++++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)

diff --git a/source/libs/index/src/indexFilter.c b/source/libs/index/src/indexFilter.c
index 6197edd474..1cc2679b06 100644
--- a/source/libs/index/src/indexFilter.c
+++ b/source/libs/index/src/indexFilter.c
@@ -97,7 +97,14 @@ static int32_t sifGetOperParamNum(EOperatorType ty) {
   }
   return 2;
 }
-static int32_t sifValidateColumn(SColumnNode *cn) {
+static int32_t sifValidOp(EOperatorType ty) {
+  if ((ty >= OP_TYPE_ADD && ty <= OP_TYPE_BIT_OR) || (ty == OP_TYPE_IN || ty == OP_TYPE_NOT_IN) ||
+      (ty == OP_TYPE_LIKE || ty == OP_TYPE_NOT_LIKE || ty == OP_TYPE_MATCH || ty == OP_TYPE_NMATCH)) {
+    return -1;
+  }
+  return 0;
+}
+static int32_t sifValidColumn(SColumnNode *cn) {
   // add more check
   if (cn == NULL) {
     return TSDB_CODE_QRY_INVALID_INPUT;
@@ -197,7 +204,7 @@ static int32_t sifInitParam(SNode *node, SIFParam *param, SIFCtx *ctx) {
     case QUERY_NODE_COLUMN: {
       SColumnNode *cn = (SColumnNode *)node;
       /*only support tag column*/
-      SIF_ERR_RET(sifValidateColumn(cn));
+      SIF_ERR_RET(sifValidColumn(cn));
 
       param->colId = cn->colId;
       param->colValType = cn->node.resType.type;
@@ -505,6 +512,11 @@ static int32_t sifGetOperFn(int32_t funcId, sif_func_t *func, SIdxFltStatus *sta
 
 static int32_t sifExecOper(SOperatorNode *node, SIFCtx *ctx, SIFParam *output) {
   int32_t code = 0;
+  if (sifValidOp(node->opType) < 0) {
+    output->status = SFLT_NOT_INDEX;
+    return code;
+  }
+
   int32_t nParam = sifGetOperParamNum(node->opType);
   if (nParam <= 1) {
     output->status = SFLT_NOT_INDEX;
@@ -516,6 +528,12 @@ static int32_t sifExecOper(SOperatorNode *node, SIFCtx *ctx, SIFParam *output) {
   SIFParam *params = NULL;
 
   SIF_ERR_RET(sifInitOperParams(&params, node, ctx));
+
+  if (params[0].status == SFLT_NOT_INDEX || (nParam > 1 && params[1].status == SFLT_NOT_INDEX)) {
+    output->status = SFLT_NOT_INDEX;
+    return code;
+  }
+
   // ugly code, refactor later
   output->arg = ctx->arg;
   sif_func_t operFn = sifNullFunc;

From 2488382dd6de0f5c45a7c7df99dee4019cd6c730 Mon Sep 17 00:00:00 2001
From: yihaoDeng <luomoxyz@126.com>
Date: Mon, 13 Jun 2022 20:49:54 +0800
Subject: [PATCH 2/3] fix: avoid invalid value

---
 source/libs/index/src/indexFilter.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/source/libs/index/src/indexFilter.c b/source/libs/index/src/indexFilter.c
index 1cc2679b06..90aafb1097 100644
--- a/source/libs/index/src/indexFilter.c
+++ b/source/libs/index/src/indexFilter.c
@@ -183,6 +183,7 @@ static int32_t sifInitJsonParam(SNode *node, SIFParam *param, SIFCtx *ctx) {
   memcpy(param->colName, r->literal, strlen(r->literal));
   // sprintf(param->colName, "%s_%s", l->colName, r->literal);
   param->colValType = r->typeData;
+  param->status = SFLT_COARSE_INDEX;
   return 0;
   // memcpy(param->colName, l->colName, sizeof(l->colName));
 }
@@ -254,11 +255,13 @@ static int32_t sifInitOperParams(SIFParam **params, SOperatorNode *node, SIFCtx
     return code;
   }
   SIFParam *paramList = taosMemoryCalloc(nParam, sizeof(SIFParam));
+
   if (NULL == paramList) {
     SIF_ERR_RET(TSDB_CODE_QRY_OUT_OF_MEMORY);
   }
 
-  if (nodeType(node->pLeft) == QUERY_NODE_OPERATOR) {
+  if (nodeType(node->pLeft) == QUERY_NODE_OPERATOR &&
+      (((SOperatorNode *)(node->pLeft))->opType == OP_TYPE_JSON_GET_VALUE)) {
     SNode *interNode = (node->pLeft);
     SIF_ERR_JRET(sifInitJsonParam(interNode, &paramList[0], ctx));
     if (nParam > 1) {
@@ -525,8 +528,8 @@ static int32_t sifExecOper(SOperatorNode *node, SIFCtx *ctx, SIFParam *output) {
   if (node->opType == OP_TYPE_JSON_GET_VALUE) {
     return code;
   }
-  SIFParam *params = NULL;
 
+  SIFParam *params = NULL;
   SIF_ERR_RET(sifInitOperParams(&params, node, ctx));
 
   if (params[0].status == SFLT_NOT_INDEX || (nParam > 1 && params[1].status == SFLT_NOT_INDEX)) {

From 0237c68e272da34a38439b5c2707a69e2ece361a Mon Sep 17 00:00:00 2001
From: yihaoDeng <luomoxyz@126.com>
Date: Tue, 14 Jun 2022 13:44:13 +0800
Subject: [PATCH 3/3] fix: invalid read/write

---
 source/dnode/vnode/src/meta/metaQuery.c | 11 ++++
 tests/script/tsim/stable/tag_filter.sim | 75 +++++++++++++++++++++++++
 2 files changed, 86 insertions(+)

diff --git a/source/dnode/vnode/src/meta/metaQuery.c b/source/dnode/vnode/src/meta/metaQuery.c
index 1d8082084f..a6339125c4 100644
--- a/source/dnode/vnode/src/meta/metaQuery.c
+++ b/source/dnode/vnode/src/meta/metaQuery.c
@@ -663,12 +663,23 @@ int32_t metaFilteTableIds(SMeta *pMeta, SMetaFltParam *param, SArray *pUids) {
 
   void *  entryKey = NULL, *entryVal = NULL;
   int32_t nEntryKey, nEntryVal;
+  bool    first = true;
   while (1) {
     valid = tdbTbcGet(pCursor->pCur, (const void **)&entryKey, &nEntryKey, (const void **)&entryVal, &nEntryVal);
     if (valid < 0) {
       break;
     }
     STagIdxKey *p = entryKey;
+    if (p->type != pCursor->type) {
+      if (first) {
+        valid = param->reverse ? tdbTbcMoveToPrev(pCursor->pCur) : tdbTbcMoveToNext(pCursor->pCur);
+        if (valid < 0) break;
+        continue;
+      } else {
+        break;
+      }
+    }
+    first = false;
     if (p != NULL) {
       int32_t cmp = (*param->filterFunc)(p->data, pKey->data, pKey->type);
       if (cmp == 0) {
diff --git a/tests/script/tsim/stable/tag_filter.sim b/tests/script/tsim/stable/tag_filter.sim
index 04b8f21de9..1f400eb803 100644
--- a/tests/script/tsim/stable/tag_filter.sim
+++ b/tests/script/tsim/stable/tag_filter.sim
@@ -73,5 +73,80 @@ if $rows != 6 then
 endi
 
 
+print ========== prepare stbBin and ctbBin
+sql create table db.stbBin (ts timestamp, c1 int, c2 binary(4)) tags(t1 binary(16))
 
+
+sql create table db.ctbBin using db.stbBin tags("a")
+sql insert into db.ctbBin values(now, 1, "2")
+
+sql create table db.ctbBin1 using db.stbBin tags("b")
+sql insert into db.ctbBin1 values(now, 2, "2")
+
+sql create table db.ctbBin2 using db.stbBin tags("c")
+sql insert into db.ctbBin2 values(now, 3, "2")
+
+sql create table db.ctbBin3 using db.stbBin tags("d")
+sql insert into db.ctbBin3 values(now, 4, "2")
+
+sql select * from db.stbBin where t1 = "a" 
+if $rows != 1 then 
+  return -1
+endi
+
+
+sql select * from db.stbBin where t1 < "a" 
+if $rows != 0 then 
+  return -=1
+endi
+
+sql select * from db.stbBin where t1 < "b" 
+if $rows != 1 then 
+  return -1
+endi
+
+
+sql select * from db.stbBin where t1 between "a" and "e" 
+if $rows != 4 then 
+  return -1
+endi
+
+
+print ========== prepare stbNc and ctbNc
+sql create table db.stbNc (ts timestamp, c1 int, c2 binary(4)) tags(t1 nchar(16))
+
+
+sql create table db.ctbNc using db.stbNc tags("a")
+sql insert into db.ctbNc values(now, 1, "2")
+
+sql create table db.ctbNc1 using db.stbNc tags("b")
+sql insert into db.ctbNc1 values(now, 2, "2")
+
+sql create table db.ctbNc2 using db.stbNc tags("c")
+sql insert into db.ctbNc2 values(now, 3, "2")
+
+sql create table db.ctbNc3 using db.stbNc tags("d")
+sql insert into db.ctbNc3 values(now, 4, "2")
+
+sql select * from db.stbNc where t1 = "a" 
+if $rows != 1 then 
+  return -1
+endi
+
+
+sql select * from db.stbNc where t1 < "a" 
+if $rows != 0 then 
+  return -=1
+endi
+
+sql select * from db.stbNc where t1 < "b" 
+if $rows != 1 then 
+  return -1
+endi
+
+
+sql select * from db.stbNc where t1 between "a" and "e" 
+if $rows != 4 then 
+  return -1
+endi
 system sh/exec.sh -n dnode1 -s stop -x SIGINT