Bug#30668886 Missing out-of-bounds check caused false read

A missing out-of-bounds check in wild_case_match caused a
pointer to read out of bounds.

RB: 23965

Author: Kristofer Älvring

sql/auth/sql_auth_cache.cc

@@ -619,23 +619,26 @@ int wild_case_compare(CHARSET_INFO *cs, const char *str, size_t str_len,
 
   while (wildstr != wildstr_end && str != str_end) {
     while (wildstr != wildstr_end && *wildstr != wild_many &&
-           *wildstr != wild_one) {
+           *wildstr != wild_one && str != str_end) {
       if (*wildstr == wild_prefix && wildstr[1]) wildstr++;
       if (my_toupper(cs, *wildstr++) != my_toupper(cs, *str++)) return 1;
     }
     if (wildstr == wildstr_end) {
       return str != str_end;
     }
+    if (str == str_end) {
+      if (*wildstr == '%' && wildstr + 1 == wildstr_end)
+        return 0; /* % match empty string */
+      return (wildstr != wildstr_end);
+    }
     if (*wildstr++ == wild_one) {
       ++str;
       if (str == str_end) /* One char; skip */
       {
         return wildstr != wildstr_end;
       }
-    } else { /* Found '*' */
-      if (wildstr == wildstr_end) {
-        return 0; /* '*' as last char: OK */
-      }
+    } else {                                 /* Found wild_many */
+      if (wildstr == wildstr_end) return 0;  // empty matches wild_many
       flag = (*wildstr != wild_many && *wildstr != wild_one);
       do {
         if (flag) {
@@ -646,8 +649,9 @@ int wild_case_compare(CHARSET_INFO *cs, const char *str, size_t str_len,
           if (str == str_end) return 1;
         }
         if (wild_case_compare(cs, str, str_end - str, wildstr,
-                              wildstr_end - wildstr) == 0)
+                              wildstr_end - wildstr) == 0) {
           return 0;
+        }
         ++str;
       } while (str != str_end);
       return 1;

unittest/gunit/wild_case_compare-t.cc

@@ -1,4 +1,4 @@
-/* Copyright (c) 2016, 2017, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2016, 2020, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License, version 2.0,
@@ -52,7 +52,69 @@ TEST_F(WildCaseCompareTest, BasicTest) {
             wild_case_compare(system_charset_info, "aaaa_users_lost_aaaa", ""));
   EXPECT_EQ(0, wild_case_compare(system_charset_info, "aaaa", "%%%%"));
   EXPECT_EQ(1, wild_case_compare(system_charset_info, "\\_\\_\\_", "_\\_\\_"));
+  EXPECT_EQ(0, wild_case_compare(system_charset_info, "xyz", "%"));
+  EXPECT_EQ(0, wild_case_compare(system_charset_info, "xyz", "%%"));
+  EXPECT_EQ(0, wild_case_compare(system_charset_info, "xyz", ("%%%")));
+  EXPECT_EQ(0, wild_case_compare(system_charset_info, "xyz", ("xyz")));
+  EXPECT_EQ(0, wild_case_compare(system_charset_info, "xyz", "%yz"));
+  EXPECT_EQ(0, wild_case_compare(system_charset_info, "xyz", "x%z"));
+  EXPECT_EQ(0, wild_case_compare(system_charset_info, "xyz", "xy%"));
+  EXPECT_EQ(0, wild_case_compare(system_charset_info, "xyz", "___"));
+  EXPECT_EQ(0, wild_case_compare(system_charset_info, "xyz", "__z"));
+  EXPECT_EQ(0, wild_case_compare(system_charset_info, "xyz", "xyz"));
+  EXPECT_EQ(0, wild_case_compare(system_charset_info, "xyz", "_yz"));
+  EXPECT_EQ(0, wild_case_compare(system_charset_info, "xyz", "x_z"));
+  EXPECT_EQ(0, wild_case_compare(system_charset_info, "xyz", "xy_"));
+  EXPECT_EQ(0, wild_case_compare(system_charset_info, "xyz", "x__"));
+  EXPECT_EQ(1, wild_case_compare(system_charset_info, "xyza", "___"));
+  EXPECT_EQ(1, wild_case_compare(system_charset_info, "xyza", "__z"));
+  EXPECT_EQ(1, wild_case_compare(system_charset_info, "xyza", "xyz"));
+  EXPECT_EQ(1, wild_case_compare(system_charset_info, "xyza", "_yz"));
+  EXPECT_EQ(1, wild_case_compare(system_charset_info, "xyza", "x_z"));
+  EXPECT_EQ(1, wild_case_compare(system_charset_info, "xyza", "xy_"));
+  EXPECT_EQ(1, wild_case_compare(system_charset_info, "xyza", "x__"));
+  EXPECT_EQ(1, wild_case_compare(system_charset_info, "xyz", "xyzz"));
+  EXPECT_EQ(1, wild_case_compare(system_charset_info, "xyz", "%yzz"));
+  EXPECT_EQ(1, wild_case_compare(system_charset_info, "xyz", "x%zz"));
+  EXPECT_EQ(1, wild_case_compare(system_charset_info, "xyz", "x%%zz"));
+  EXPECT_EQ(1, wild_case_compare(system_charset_info, "xyz", "x%%%zz"));
+
+  EXPECT_EQ(0, wild_case_compare(system_charset_info, "xyz_", "xyz_"));
+  EXPECT_EQ(0, wild_case_compare(system_charset_info, "xyz_", "xyz\\_"));
+  EXPECT_EQ(0, wild_case_compare(system_charset_info, "xy_z_", "xy\\_z\\_"));
+  EXPECT_EQ(0, wild_case_compare(system_charset_info, "xy%z%", "xy\\%z\\%"));
+  EXPECT_EQ(0, wild_case_compare(system_charset_info, "xy%za", "xy\\%z%"));
+  EXPECT_EQ(0, wild_case_compare(system_charset_info, "xy%zaaaaa", "xy\\%z%"));
+  EXPECT_EQ(0,
+            wild_case_compare(system_charset_info,
+                              "xy%zabcdefghiljklomnopqrstuvwxyz", "xy\\%z%"));
+  EXPECT_EQ(1,
+            wild_case_compare(system_charset_info,
+                              "xy%aabcdefghiljklomnopqrstuvwxyz", "xy\\%z%"));
+  EXPECT_EQ(0, wild_case_compare(system_charset_info, "xy%zaa%aa", "xy\\%z%"));
+  EXPECT_EQ(0, wild_case_compare(system_charset_info, "%", "\\%"));
+  EXPECT_EQ(0, wild_case_compare(system_charset_info, "_", "\\_"));
+  EXPECT_EQ(0, wild_case_compare(system_charset_info, "___", "\\_\\_\\_"));
   EXPECT_EQ(0, wild_case_compare(system_charset_info, "___", "_\\_\\_"));
+  EXPECT_EQ(0, wild_case_compare(system_charset_info, "___", "__\\_"));
+  EXPECT_EQ(1,
+            wild_case_compare(system_charset_info, "\\_\\_\\_", "\\_\\_\\_"));
+  EXPECT_EQ(1,
+            wild_case_compare(system_charset_info, "\\%\\%\\%", "\\%\\%\\%"));
+  EXPECT_EQ(1, wild_case_compare(system_charset_info, "\\%\\%\\%", "\\%\\%"));
+  EXPECT_EQ(1, wild_case_compare(system_charset_info, "\\%\\%\\%", "\\%"));
+  EXPECT_EQ(0, wild_case_compare(system_charset_info, "\\%\\%\\%", "%"));
+  EXPECT_EQ(1, wild_case_compare(system_charset_info, "\\\\", "\\\\"));
+  EXPECT_EQ(0, wild_case_compare(system_charset_info, "\\\\", "\\\\\\\\"));
+  EXPECT_EQ(0, wild_case_compare(system_charset_info, "åäö", "åäö"));
+  EXPECT_EQ(0, wild_case_compare(system_charset_info, "xyz", "xyz%"));
+  EXPECT_EQ(0, wild_case_compare(system_charset_info, "", "%"));
+  EXPECT_EQ(1, wild_case_compare(system_charset_info, "", ""));
+
+  EXPECT_EQ(0, wild_case_compare(system_charset_info, "db1", "db_"));
+  EXPECT_EQ(1, wild_case_compare(system_charset_info, "dbbb1", "db_"));
+  EXPECT_EQ(1, wild_case_compare(system_charset_info, "dddddb1", "db_"));
+  EXPECT_EQ(1, wild_case_compare(system_charset_info, "dddddb1", "db%"));
   EXPECT_EQ(0, wild_case_compare(system_charset_info, "___", "___"));
   EXPECT_EQ(0, wild_case_compare(system_charset_info, "", "%"));
   EXPECT_EQ(1, wild_case_compare(system_charset_info, "", ""));
@@ -64,5 +126,8 @@ TEST_F(WildCaseCompareTest, BasicTest) {
   EXPECT_EQ(1, wild_case_compare(system_charset_info, "", "db_aaaa"));
   EXPECT_EQ(1, wild_case_compare(system_charset_info, "", "db%aaaa"));
   EXPECT_EQ(1, wild_case_compare(system_charset_info, "", "db%aa_aa"));
+  EXPECT_EQ(0, wild_case_compare(system_charset_info, "aaaAA_*", "%A_*"));
+  EXPECT_EQ(1, wild_case_compare(system_charset_info, "aaaAA_", "%A_*"));
+  EXPECT_EQ(1, wild_case_compare(system_charset_info, "aaF", "%F_*-*=<"));
 }
 }  // namespace wild_case_compare_unittest