[td-225]additional memory border check for the temp query output buffer

src/query/inc/qUtil.h

@@ -52,11 +52,20 @@ static FORCE_INLINE SResultRow *getResultRow(SResultRowInfo *pResultRowInfo, int
   return pResultRowInfo->pResult[slot];
 }
 
-static FORCE_INLINE char *getPosInResultPage(SQuery *pQuery, tFilePage* page, int32_t rowOffset, int16_t offset) {
-  assert(rowOffset >= 0 && pQuery != NULL);
+static FORCE_INLINE char* getPosInResultPage(SQueryRuntimeEnv* pRuntimeEnv, tFilePage* page, int32_t rowOffset,
+                                             int16_t offset, int32_t size) {
+  assert(rowOffset >= 0 && pRuntimeEnv != NULL);
+
+  SQuery* pQuery = pRuntimeEnv->pQuery;
+  int64_t pageSize = pRuntimeEnv->pResultBuf->pageSize;
 
   int32_t numOfRows = (int32_t)GET_ROW_PARAM_FOR_MULTIOUTPUT(pQuery, pQuery->topBotQuery, pQuery->stableQuery);
-  return ((char *)page->data) + rowOffset + offset * numOfRows;
+
+  // buffer overflow check
+  int64_t bufEnd = (rowOffset + offset * numOfRows + size);
+  assert(page->num <= pageSize && bufEnd <= page->num);
+
+  return ((char*)page->data) + rowOffset + offset * numOfRows;
 }
 
 bool isNullOperator(SColumnFilterElem *pFilter, const char* minval, const char* maxval, int16_t type);

src/query/src/qExecutor.c

@@ -3243,7 +3243,7 @@ void setResultRowOutputBufInitCtx(SQueryRuntimeEnv *pRuntimeEnv, SResultRow *pRe
       continue;
     }
 
-    pCtx[i].pOutput = getPosInResultPage(pRuntimeEnv->pQuery, bufPage, pResult->offset, offset);
+    pCtx[i].pOutput = getPosInResultPage(pRuntimeEnv, bufPage, pResult->offset, offset, pCtx[i].outputBytes);
     offset += pCtx[i].outputBytes;
 
     int32_t functionId = pCtx[i].functionId;
@@ -3301,7 +3301,7 @@ void setResultOutputBuf(SQueryRuntimeEnv *pRuntimeEnv, SResultRow *pResult, SQLF
 
   int16_t offset = 0;
   for (int32_t i = 0; i < numOfCols; ++i) {
-    pCtx[i].pOutput = getPosInResultPage(pRuntimeEnv->pQuery, page, pResult->offset, offset);
+    pCtx[i].pOutput = getPosInResultPage(pRuntimeEnv, page, pResult->offset, offset, pCtx[i].outputBytes);
     offset += pCtx[i].outputBytes;
 
     int32_t functionId = pCtx[i].functionId;
@@ -3509,8 +3509,6 @@ void setIntervalQueryRange(SQueryRuntimeEnv *pRuntimeEnv, TSKEY key) {
  */
 
 static int32_t doCopyToSDataBlock(SQueryRuntimeEnv* pRuntimeEnv, SGroupResInfo* pGroupResInfo, int32_t orderType, SSDataBlock* pBlock) {
-  SQuery *pQuery = pRuntimeEnv->pQuery;
-
   int32_t numOfRows = getNumOfTotalRes(pGroupResInfo);
   int32_t numOfResult = pBlock->info.rows; // there are already exists result rows
 
@@ -3545,7 +3543,7 @@ static int32_t doCopyToSDataBlock(SQueryRuntimeEnv* pRuntimeEnv, SGroupResInfo*
       int32_t bytes = pColInfoData->info.bytes;
 
       char *out = pColInfoData->pData + numOfResult * bytes;
-      char *in  = getPosInResultPage(pQuery, page, pRow->offset, offset);
+      char *in  = getPosInResultPage(pRuntimeEnv, page, pRow->offset, offset, bytes);
       memcpy(out, in, bytes * numOfRowsToCopy);
 
       offset += bytes;

src/query/src/qUtil.c

@@ -140,7 +140,7 @@ void clearResultRow(SQueryRuntimeEnv *pRuntimeEnv, SResultRow *pResultRow, int16
       SResultRowCellInfo *pResultInfo = &pResultRow->pCellInfo[i];
 
       int16_t size = pRuntimeEnv->pQuery->pExpr1[i].bytes;
-      char * s = getPosInResultPage(pRuntimeEnv->pQuery, page, pResultRow->offset, offset);
+      char * s = getPosInResultPage(pRuntimeEnv, page, pResultRow->offset, offset, size);
       memset(s, 0, size);
 
       offset += size;