(impala) 01/02: IMPALA-12661: Fix ASAN heap-use-after-free in IcebergMetadataScanNode

Fri, 22 Dec 2023 13:56:58 -0800 

This is an automated email from the ASF dual-hosted git repository.

wzhou pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/impala.git

commit 9fd1c81845e7d84ed6b9a903aa6ebe37a8abd254
Author: Tamas Mate <[email protected]>
AuthorDate: Thu Dec 21 19:07:09 2023 +0100

    IMPALA-12661: Fix ASAN heap-use-after-free in IcebergMetadataScanNode
    
    The ASAN builds detected that the IcebergMetadataScanNode uses heap
    allocated memory after it has been freed.
    
    In CreateFieldAccessors() method, during tree traversal, the
    current_type variable is reassigned to its children which is part of
    of the object. However, by the end of the assignment the rhs object will
    be destroyed. To fix this issue, the variable was replaced with a pointer.
    
    Testing:
     - Ran tests on ASAN build
    
    Change-Id: I6df9c9cb6914a0c6c93b61aa0dd02acfdba68851
    Reviewed-on: http://gerrit.cloudera.org:8080/20829
    Reviewed-by: Impala Public Jenkins <[email protected]>
    Tested-by: Impala Public Jenkins <[email protected]>
---
 be/src/exec/iceberg-metadata/iceberg-metadata-scan-node.cc | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/be/src/exec/iceberg-metadata/iceberg-metadata-scan-node.cc 
b/be/src/exec/iceberg-metadata/iceberg-metadata-scan-node.cc
index f7f5c9a6d..d779992fb 100644
--- a/be/src/exec/iceberg-metadata/iceberg-metadata-scan-node.cc
+++ b/be/src/exec/iceberg-metadata/iceberg-metadata-scan-node.cc
@@ -104,12 +104,12 @@ Status IcebergMetadataScanNode::CreateFieldAccessors() {
       // STRUCT node that stores the primitive type. Because, that struct node 
has the
       // field id list of its childs.
       int root_type_index = slot_desc->col_path()[0];
-      ColumnType current_type =
-          tuple_desc_->table_desc()->col_descs()[root_type_index].type();
+      ColumnType* current_type = &const_cast<ColumnType&>(
+          tuple_desc_->table_desc()->col_descs()[root_type_index].type());
       for (int i = 1; i < slot_desc->col_path().size() - 1; ++i) {
-        current_type = current_type.children[slot_desc->col_path()[i]];
+        current_type = &current_type->children[slot_desc->col_path()[i]];
       }
-      int field_id = current_type.field_ids[slot_desc->col_path().back()];
+      int field_id = current_type->field_ids[slot_desc->col_path().back()];
       RETURN_IF_ERROR(AddAccessorForFieldId(env, field_id, slot_desc->id()));
     } else {
       // For primitives in the top level tuple, use the ColumnDescriptor

Reply via email to