From 1f15dda4adc05685292a09554a6fa055bb3a7546 Mon Sep 17 00:00:00 2001
From: Haojun Liao <hjliao@taosdata.com>
Date: Mon, 6 Sep 2021 16:49:52 +0800
Subject: [PATCH] [ts-218] fix the invalid write.

---
 src/util/src/tarray.c | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/src/util/src/tarray.c b/src/util/src/tarray.c
index d0d126c1e4..2d6c513cb5 100644
--- a/src/util/src/tarray.c
+++ b/src/util/src/tarray.c
@@ -112,14 +112,15 @@ void taosArrayRemoveBatch(SArray *pArray, const int32_t* pData, int32_t numOfEle
     i += 1;
   }
 
-  assert(i == pData[numOfElems - 1] + 1);
+  assert(i == pData[numOfElems - 1] + 1 && i <= size);
 
-  int32_t dstIndex = pData[numOfElems - 1] - numOfElems + 1;
   int32_t srcIndex = pData[numOfElems - 1] + 1;
-
-  char* dst = TARRAY_GET_ELEM(pArray, dstIndex);
-  char* src = TARRAY_GET_ELEM(pArray, srcIndex);
-  memmove(dst, src, pArray->elemSize * (pArray->size - numOfElems));
+  int32_t dstIndex = pData[numOfElems - 1] - numOfElems + 1;
+  if (pArray->size - srcIndex > 0) {
+    char* dst = TARRAY_GET_ELEM(pArray, dstIndex);
+    char* src = TARRAY_GET_ELEM(pArray, srcIndex);
+    memmove(dst, src, pArray->elemSize * (pArray->size - srcIndex));
+  }
 
   pArray->size -= numOfElems;
 }
-- 
GitLab