From 65d758aa891bdafca6c881d3e7075979de3395e9 Mon Sep 17 00:00:00 2001
From: Sergei Golubchik <serg@mariadb.org>
Date: Sat, 30 Mar 2019 12:52:23 +0100
Subject: [PATCH] MDEV-18298 Crashes server with segfault during role grants

it was supposed to be `*(p-1)` not `*p-1`
(the crash happens if `*p==0`)
---
 .../suite/roles/flush_roles-17898.result      | 27 +++++++++++++++++++
 mysql-test/suite/roles/flush_roles-17898.test | 25 +++++++++++++++++
 sql/sql_acl.cc                                |  2 +-
 3 files changed, 53 insertions(+), 1 deletion(-)

diff --git a/mysql-test/suite/roles/flush_roles-17898.result b/mysql-test/suite/roles/flush_roles-17898.result
index c09fa166dc0..71ae28dd4ff 100644
--- a/mysql-test/suite/roles/flush_roles-17898.result
+++ b/mysql-test/suite/roles/flush_roles-17898.result
@@ -11,3 +11,30 @@ flush privileges;
 drop role dwr_foo;
 drop role dwr_bar;
 drop role dwr_qux_dev;
+use test;
+create table db_copy as select * from mysql.db;
+delete from mysql.db;
+flush privileges;
+create user u1@localhost;
+create role r1;
+create role r2;
+grant r1 to u1@localhost;
+grant select on test.* to r2;
+grant select on m_.* to r2;
+grant r2 to r1;
+show grants for u1@localhost;
+Grants for u1@localhost
+GRANT r1 TO 'u1'@'localhost'
+GRANT USAGE ON *.* TO 'u1'@'localhost'
+show grants for r1;
+Grants for r1
+GRANT r2 TO 'r1'
+GRANT USAGE ON *.* TO 'r1'
+GRANT USAGE ON *.* TO 'r2'
+GRANT SELECT ON `test`.* TO 'r2'
+GRANT SELECT ON `m_`.* TO 'r2'
+drop user u1@localhost;
+drop role r1, r2;
+insert mysql.db select * from db_copy;
+flush privileges;
+drop table db_copy;
diff --git a/mysql-test/suite/roles/flush_roles-17898.test b/mysql-test/suite/roles/flush_roles-17898.test
index e94efc44dd0..6800efd5b3f 100644
--- a/mysql-test/suite/roles/flush_roles-17898.test
+++ b/mysql-test/suite/roles/flush_roles-17898.test
@@ -1,3 +1,4 @@
+source include/not_embedded.inc;
 #
 # MDEV-17898 FLUSH PRIVILEGES crashes server with segfault
 #
@@ -9,3 +10,27 @@ flush privileges;
 drop role dwr_foo;
 drop role dwr_bar;
 drop role dwr_qux_dev;
+use test;
+
+#
+# MDEV-18298 Crashes server with segfault during role grants
+#
+create table db_copy as select * from mysql.db;
+delete from mysql.db;
+flush privileges;
+
+create user u1@localhost;
+create role r1;
+create role r2;
+grant r1 to u1@localhost;
+grant select on test.* to r2;
+grant select on m_.* to r2;
+grant r2 to r1;
+show grants for u1@localhost;
+show grants for r1;
+drop user u1@localhost;
+drop role r1, r2;
+
+insert mysql.db select * from db_copy;
+flush privileges;
+drop table db_copy;
diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc
index ff18c1d4c10..c2e5bfd8c11 100644
--- a/sql/sql_acl.cc
+++ b/sql/sql_acl.cc
@@ -5311,7 +5311,7 @@ static bool merge_role_db_privileges(ACL_ROLE *grantee, const char *dbname,
   ulong UNINIT_VAR(access), update_flags= 0;
   for (int *p= dbs.front(); p <= dbs.back(); p++)
   {
-    if (first<0 || (!dbname && strcmp(acl_dbs.at(*p).db, acl_dbs.at(*p-1).db)))
+    if (first<0 || (!dbname && strcmp(acl_dbs.at(p[0]).db, acl_dbs.at(p[-1]).db)))
     { // new db name series
       update_flags|= update_role_db(merged, first, access, grantee->user.str);
       merged= -1;