[BugFix] Fix Left Anti join null_array UAF

Signed-off-by: stdpain <[email protected]>
stdpain · Dec 6, 2024 · 408f054 · 408f054
1 parent 815b720
commit 408f054
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 1 deletion.
diff --git a/be/src/exec/join_hash_map.cpp b/be/src/exec/join_hash_map.cpp
@@ -228,6 +228,8 @@ void SerializedJoinProbeFunc::_probe_column(const JoinHashTableItems& table_item
         ptr += probe_state->probe_slice[i].size;
     }
 
+    probe_state->null_array = nullptr;
+
     for (uint32_t i = 0; i < row_count; i++) {
         probe_state->next[i] = table_items.first[probe_state->buckets[i]];
     }

diff --git a/be/src/exec/join_hash_map.tpp b/be/src/exec/join_hash_map.tpp
@@ -351,7 +351,7 @@ void FixedSizeJoinProbeFunc<LT>::_probe_column(const JoinHashTableItems& table_i
                                                            row_count);
     const auto& data = get_key_data(*probe_state);
     JoinHashMapHelper::calc_bucket_nums<CppType>(data, table_items.bucket_size, &probe_state->buckets, 0, row_count);
-
+    probe_state->null_array = nullptr;
     for (uint32_t i = 0; i < row_count; i++) {
         probe_state->next[i] = table_items.first[probe_state->buckets[i]];
     }

diff --git a/test/sql/test_join/R/test_null_aware_anti_join b/test/sql/test_join/R/test_null_aware_anti_join
@@ -69,4 +69,15 @@ select * from lineitem_nullable l1 where l1.l_orderkey not in ( select l3.l_orde
 None	None	None
 2	3	None
 2	3	2
+-- !result
+set pipeline_dop = 1;
+-- result:
+-- !result
+select count(*) from (SELECT * from (SELECT if (generate_series <= 1000, null, generate_series) x0 FROM TABLE(generate_series(1,  8192))) t where (x0, x0 + 1) not in  ( select l3.l_orderkey, l3.l_orderkey + 1 from lineitem l3 ) order by 1) t;
+-- result:
+7192
+-- !result
+select count(*) from (SELECT * from (SELECT if (generate_series <= 1000, null, generate_series) x0 FROM TABLE(generate_series(1,  8192))) t where (x0, concat("l", x0)) not in  ( select l3.l_orderkey, concat("l", l_orderkey) from lineitem l3 ) order by 1) t;
+-- result:
+7192
 -- !result
diff --git a/test/sql/test_join/T/test_null_aware_anti_join b/test/sql/test_join/T/test_null_aware_anti_join
@@ -39,3 +39,9 @@ select * from lineitem_nullable l1 where l1.l_orderkey not in ( select l3.l_orde
 select * from lineitem_nullable l1 where l1.l_orderkey in ( select l3.l_orderkey from lineitem_nullable l3 ) order by 1,2,3;
 select * from lineitem_nullable l1 where l1.l_orderkey not in ( select l3.l_orderkey from lineitem_nullable l3 where  l3.l_suppkey = l1.l_suppkey ) order by 1,2,3;
 select * from lineitem_nullable l1 where l1.l_orderkey not in ( select l3.l_orderkey from lineitem_nullable l3 where  l3.l_suppkey != l1.l_suppkey ) order by 1,2,3;
+
+set pipeline_dop = 1;
+-- branch fixed size keys
+select count(*) from (SELECT * from (SELECT if (generate_series <= 1000, null, generate_series) x0 FROM TABLE(generate_series(1,  8192))) t where (x0, x0 + 1) not in  ( select l3.l_orderkey, l3.l_orderkey + 1 from lineitem l3 ) order by 1) t;
+-- branch serialized keys
+select count(*) from (SELECT * from (SELECT if (generate_series <= 1000, null, generate_series) x0 FROM TABLE(generate_series(1,  8192))) t where (x0, concat("l", x0)) not in  ( select l3.l_orderkey, concat("l", l_orderkey) from lineitem l3 ) order by 1) t;