Repository: impala Updated Branches: refs/heads/master bddd7def9 -> 3ff4cde77
IMPALA-6844: Fix possible NULL dereference in to_date() builtin If result.ptr allocation fails for some reason inside the StringVal constructor, we still overwrite result.len and continue. This change checks that the StringVal pointer is not NULL before dereferencing it, and returns NULL if it is. Testing: Added a test case of the to_date() function to alloc-fail-init.test to leverage the fault injector --stress_fn_ctx_alloc. Change-Id: I14cfb29a592885bb2f39958c8644f93db5220a68 Reviewed-on: http://gerrit.cloudera.org:8080/11286 Tested-by: Impala Public Jenkins <[email protected]> Reviewed-by: Tim Armstrong <[email protected]> Project: http://git-wip-us.apache.org/repos/asf/impala/repo Commit: http://git-wip-us.apache.org/repos/asf/impala/commit/3ff4cde7 Tree: http://git-wip-us.apache.org/repos/asf/impala/tree/3ff4cde7 Diff: http://git-wip-us.apache.org/repos/asf/impala/diff/3ff4cde7 Branch: refs/heads/master Commit: 3ff4cde772b96e040316e6a08e384b5e065c79b7 Parents: bddd7de Author: Vincent Tran <[email protected]> Authored: Mon Aug 20 13:13:28 2018 -0400 Committer: Tim Armstrong <[email protected]> Committed: Tue Aug 21 22:06:02 2018 +0000 ---------------------------------------------------------------------- be/src/exprs/timestamp-functions-ir.cc | 2 ++ .../functional-query/queries/QueryTest/alloc-fail-init.test | 5 +++++ 2 files changed, 7 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/impala/blob/3ff4cde7/be/src/exprs/timestamp-functions-ir.cc ---------------------------------------------------------------------- diff --git a/be/src/exprs/timestamp-functions-ir.cc b/be/src/exprs/timestamp-functions-ir.cc index e328b9e..d3cb134 100644 --- a/be/src/exprs/timestamp-functions-ir.cc +++ b/be/src/exprs/timestamp-functions-ir.cc @@ -329,6 +329,8 @@ StringVal TimestampFunctions::ToDate(FunctionContext* context, // our built-in functions might incorrectly return such a malformed timestamp. if (!ts_value.HasDate()) return StringVal::null(); StringVal result(context, 10); + // Return NULL if 'result' allocation fails inside of the StringVal constructor. + if (UNLIKELY(result.is_null)) return StringVal::null(); result.len = 10; // Fill in year, month, and day. IntToChar(result.ptr, ts_value.date().year(), 4); http://git-wip-us.apache.org/repos/asf/impala/blob/3ff4cde7/testdata/workloads/functional-query/queries/QueryTest/alloc-fail-init.test ---------------------------------------------------------------------- diff --git a/testdata/workloads/functional-query/queries/QueryTest/alloc-fail-init.test b/testdata/workloads/functional-query/queries/QueryTest/alloc-fail-init.test index 5130cdb..1adc9ad 100644 --- a/testdata/workloads/functional-query/queries/QueryTest/alloc-fail-init.test +++ b/testdata/workloads/functional-query/queries/QueryTest/alloc-fail-init.test @@ -60,3 +60,8 @@ select appx_median(int_col) from functional.alltypes ---- CATCH FunctionContext::Allocate() failed to allocate 248 bytes. ==== +---- QUERY +select to_date(now()) +---- CATCH +FunctionContextImpl::AllocateForResults() failed to allocate 10 bytes. +====
