[BugFix] Fix UAF when FixedLengthColumn append self (backport #62375) (#62393)

Signed-off-by: stdpain <drfeng08@gmail.com> Co-authored-by: stdpain <34912776+stdpain@users.noreply.github.com>
2025-08-28 11:11:25 +00:00 · 2025-08-28 11:11:25 +00:00 · 77291b7c49
parent 89cd08dd15
commit 77291b7c49
2 changed files with 12 additions and 8 deletions
--- a/be/src/column/fixed_length_column_base.cpp
+++ b/be/src/column/fixed_length_column_base.cpp
@ -37,32 +37,36 @@ StatusOr<ColumnPtr> FixedLengthColumnBase<T>::upgrade_if_overflow() {

 template <typename T>
 void FixedLengthColumnBase<T>::append(const Column& src, size_t offset, size_t count) {
-    const T* src_data = reinterpret_cast<const T*>(src.raw_data());
+    DCHECK(this != &src);

    const size_t orig_size = _data.size();
    raw::stl_vector_resize_uninitialized(&_data, orig_size + count);

+    const T* src_data = reinterpret_cast<const T*>(src.raw_data());
    strings::memcpy_inlined(_data.data() + orig_size, src_data + offset, count * sizeof(T));
 }

 template <typename T>
 void FixedLengthColumnBase<T>::append_selective(const Column& src, const uint32_t* indexes, uint32_t from,
                                                uint32_t size) {
+    DCHECK(this != &src);
    indexes += from;
-    const T* src_data = reinterpret_cast<const T*>(src.raw_data());

    const size_t orig_size = _data.size();
    raw::stl_vector_resize_uninitialized(&_data, orig_size + size);
    auto* dest_data = _data.data() + orig_size;

+    const T* src_data = reinterpret_cast<const T*>(src.raw_data());
    SIMDGather::gather(dest_data, src_data, indexes, size);
 }

 template <typename T>
 void FixedLengthColumnBase<T>::append_value_multiple_times(const Column& src, uint32_t index, uint32_t size) {
-    const T* src_data = reinterpret_cast<const T*>(src.raw_data());
+    DCHECK(this != &src);
    size_t orig_size = _data.size();
    _data.resize(orig_size + size);
+
+    const T* src_data = reinterpret_cast<const T*>(src.raw_data());
    for (size_t i = 0; i < size; ++i) {
        _data[orig_size + i] = src_data[index];
    }
--- a/be/src/exprs/array_map_expr.cpp
+++ b/be/src/exprs/array_map_expr.cpp
@ -143,18 +143,18 @@ StatusOr<ColumnPtr> ArrayMapExpr::evaluate_lambda_expr(ExprContext* context, Chu
                // or all input columns are constant but lambda expr depends on other capture columns(e.g. array_map(x->x+k,[1,2,3])),
                // we should unpack the const column before evaluation
                size_t elements_num = array_column->get_element_size(0);
-                elements_column = elements_column->clone();
+                auto new_elements_column = elements_column->clone_empty();
                offsets_column = UInt32Column::create();
                // replicate N time and ignore null
                size_t repeat_times = input_elements[i]->size() - null_rows;
-                size_t offset = elements_num;
+                size_t offset = 0;
                offsets_column->append(0);
-                offsets_column->append(offset);
-                for (size_t i = 1; i < repeat_times; i++) {
-                    elements_column->append(*elements_column, 0, elements_num);
+                for (size_t i = 0; i < repeat_times; i++) {
+                    new_elements_column->append(*elements_column, 0, elements_num);
                    offset += elements_num;
                    offsets_column->append(offset);
                }
+                elements_column->swap_column(*new_elements_column);
            }
        } else {
            if (result_null_column != nullptr) {