Added bounds check in ColumnVector::insert_indices_from()

root · root · commit 77bda5cc3aa2 · 2025-10-06T07:05:35.000Z
diff --git a/be/src/vec/columns/column_vector.cpp b/be/src/vec/columns/column_vector.cpp
@@ -279,19 +279,35 @@ void ColumnVector<T>::insert_range_from(const IColumn& src, size_t start, size_t
 template <PrimitiveType T>
 void ColumnVector<T>::insert_indices_from(const IColumn& src, const uint32_t* indices_begin,
                                           const uint32_t* indices_end) {
+    const auto& src_concrete = static_cast<const ColumnVector<T>&>(src);
+    size_t src_size = src_concrete.size();
+    if (indices_begin == nullptr || indices_end == nullptr || indices_begin > indices_end) {
+        throw Exception(ErrorCode::INTERNAL_ERROR,
+                        "Invalid index range: begin={}, end={}",
+                        static_cast<const void*>(indices_begin),
+                        static_cast<const void*>(indices_end));
+    }
+                                            
     auto origin_size = size();
     auto new_size = indices_end - indices_begin;
+    if (new_size == 0) {
+        return;
+    }
     data.resize(origin_size + new_size);
 
     auto copy = [](const value_type* __restrict src, value_type* __restrict dest,
-                   const uint32_t* __restrict begin, const uint32_t* __restrict end) {
+                   const uint32_t* __restrict begin, const uint32_t* __restrict end, size_t src_size) {
         for (const auto* it = begin; it != end; ++it) {
+            if (*it >= src_size) {
+                throw Exception(ErrorCode::INTERNAL_ERROR,
+                                "Index {} exceeds source column size {}", *it, src_size);
+            }
             *dest = src[*it];
             ++dest;
         }
     };
     copy(reinterpret_cast<const value_type*>(src.get_raw_data().data), data.data() + origin_size,
-         indices_begin, indices_end);
+         indices_begin, indices_end, src_size);
 }
 
 template <PrimitiveType T>
diff --git a/be/test/vec/core/column_vector_test.cpp b/be/test/vec/core/column_vector_test.cpp
@@ -24,6 +24,8 @@
 #include <string>
 
 #include "gtest/gtest_pred_impl.h"
+#include "vec/core/types.h"
+#include "vec/data_types/data_type_number.h"
 
 namespace doris::vectorized {
 
@@ -38,4 +40,36 @@ TEST(VColumnVectorTest, insert_date_column) {
     ASSERT_EQ(column->size(), rows);
 }
 
+TEST(VColumnVectorTest, insert_indices_from_uInt64_crash) {
+    auto src = ColumnInt64::create();
+    std::vector<int64_t> src_values = {10LL, 20LL, 30LL, 40LL};
+    for (auto v : src_values) {
+        src->insert(Field::create_field<PrimitiveType::TYPE_BIGINT>(v));
+    }
+    ASSERT_EQ(src->size(), 4);
+
+    auto dest = ColumnInt64::create();
+    std::vector<int64_t> dest_values = {1LL, 2LL};
+    for (auto v : dest_values) {
+        dest->insert(Field::create_field<PrimitiveType::TYPE_BIGINT>(v));
+    }
+
+    // Valid indices (should work)
+    uint32_t valid_indices[] = {0, 2, 3};
+    dest->insert_indices_from(*src, valid_indices, valid_indices + 3);
+    ASSERT_EQ(dest->size(), 5); // 2 original + 3 inserted
+    ASSERT_EQ(dest->get_int(2), 10LL); // Check inserted value
+
+    // Invalid indices to trigger crash
+    uint32_t invalid_indices[] = {0, 2, 1000000000U, 2000000000U}; // Large indices to hit unmapped memory (src size = 4)
+    try {
+        dest->insert_indices_from(*src, invalid_indices, invalid_indices + 4);
+        FAIL() << "Expected Exception for out-of-bounds indices";
+    } catch (const Exception& e) {
+        ASSERT_EQ(e.code(), ErrorCode::INTERNAL_ERROR);
+        ASSERT_TRUE(std::string(e.to_string()).find("Index 1000000000 exceeds source column size 4") !=
+                    std::string::npos);
+    }
+}
+
 } // namespace doris::vectorized
