<fix>[TD-12261] deal heap-buffer-overflow if json value is ""

f42154e2 · wmmhello · 3386857b · f42154e2 · f42154e2
隐藏空白更改
内联并排

Showing with 21 addition and 13 deletion

src/client/src/tscUtil.c src/client/src/tscUtil.c +1 -1

src/tsdb/src/tsdbRead.c src/tsdb/src/tsdbRead.c +20 -12

未找到文件。
--- a/src/client/src/tscUtil.c
+++ b/src/client/src/tscUtil.c
@@ -5514,7 +5514,7 @@ int parseJsontoTagData(char* json, SKVRowBuilder* kvRowBuilder, char* errMsg, in
      char *tagVal = calloc(strlen(jsonValue) * TSDB_NCHAR_SIZE + TSDB_NCHAR_SIZE, 1);
      *tagVal = jsonType2DbType(0, item->type);     // type
      char* tagData = POINTER_SHIFT(tagVal,CHAR_BYTES);
-      if (!taosMbsToUcs4(jsonValue, strlen(jsonValue), varDataVal(tagData),
+      if (strlen(jsonValue) > 0 && !taosMbsToUcs4(jsonValue, strlen(jsonValue), varDataVal(tagData),
                         (int32_t)(strlen(jsonValue) * TSDB_NCHAR_SIZE), &outLen)) {
        tscError("json string error:%s|%s", strerror(errno), jsonValue);
        retCode = tscSQLSyntaxErrMsg(errMsg, "serizelize json error", NULL);

--- a/src/tsdb/src/tsdbRead.c
+++ b/src/tsdb/src/tsdbRead.c
@@ -4243,20 +4243,28 @@ char* parseTagDatatoJson(void *p){
        }
        cJSON_AddItemToObject(json, tagJsonKey, value);
      }else if(type == TSDB_DATA_TYPE_NCHAR) {
-        char *tagJsonValue = calloc(varDataLen(realData), 1);
-        int32_t length = taosUcs4ToMbs(varDataVal(realData), varDataLen(realData), tagJsonValue);
-        if (length < 0) {
-          tsdbError("charset:%s to %s. val:%s convert json value failed.", DEFAULT_UNICODE_ENCODEC, tsCharset,
-                   (char*)val);
+        cJSON* value = NULL;
+        if (varDataLen(realData) > 0){
+          char *tagJsonValue = calloc(varDataLen(realData), 1);
+          int32_t length = taosUcs4ToMbs(varDataVal(realData), varDataLen(realData), tagJsonValue);
+          if (length < 0) {
+            tsdbError("charset:%s to %s. val:%s convert json value failed.", DEFAULT_UNICODE_ENCODEC, tsCharset,
+                      (char*)val);
+            free(tagJsonValue);
+            goto end;
+          }
+          value = cJSON_CreateString(tagJsonValue);
          free(tagJsonValue);
-          goto end;
-        }
-        cJSON* value = cJSON_CreateString(tagJsonValue);
-        free(tagJsonValue);
-        if (value == NULL)
-        {
-          goto end;
+          if (value == NULL)
+          {
+            goto end;
+          }
+        }else if(varDataLen(realData) == 0){
+          value = cJSON_CreateString("");
+        }else{
+          assert(0);
        }
+
        cJSON_AddItemToObject(json, tagJsonKey, value);
      }else if(type == TSDB_DATA_TYPE_DOUBLE){
        double jsonVd = *(double*)(realData);