MDEV-18298 Crashes server with segfault during role grants

it was supposed to be `*(p-1)` not `*p-1` (the crash happens if `*p==0`)

MDEV-18298 Crashes server with segfault during role grants
it was supposed to be `*(p-1)` not `*p-1` (the crash happens if `*p==0`)
65d758aa · Sergei Golubchik · 409f69cd · 65d758aa · 65d758aa · 65d758aa
Commit 65d758aa authored Mar 30, 2019 by Sergei Golubchik
3 changed files
--- a/mysql-test/suite/roles/flush_roles-17898.result
+++ b/mysql-test/suite/roles/flush_roles-17898.result
@@ -11,3 +11,30 @@ flush privileges;
 drop role dwr_foo;
 drop role dwr_bar;
 drop role dwr_qux_dev;
+use test;
+create table db_copy as select * from mysql.db;
+delete from mysql.db;
+flush privileges;
+create user u1@localhost;
+create role r1;
+create role r2;
+grant r1 to u1@localhost;
+grant select on test.* to r2;
+grant select on m_.* to r2;
+grant r2 to r1;
+show grants for u1@localhost;
+Grants for u1@localhost
+GRANT r1 TO 'u1'@'localhost'
+GRANT USAGE ON *.* TO 'u1'@'localhost'
+show grants for r1;
+Grants for r1
+GRANT r2 TO 'r1'
+GRANT USAGE ON *.* TO 'r1'
+GRANT USAGE ON *.* TO 'r2'
+GRANT SELECT ON `test`.* TO 'r2'
+GRANT SELECT ON `m_`.* TO 'r2'
+drop user u1@localhost;
+drop role r1, r2;
+insert mysql.db select * from db_copy;
+flush privileges;
+drop table db_copy;
--- a/mysql-test/suite/roles/flush_roles-17898.test
+++ b/mysql-test/suite/roles/flush_roles-17898.test
+source include/not_embedded.inc;
 #
 # MDEV-17898 FLUSH PRIVILEGES crashes server with segfault
 #
@@ -9,3 +10,27 @@ flush privileges;
 drop role dwr_foo;
 drop role dwr_bar;
 drop role dwr_qux_dev;
+use test;
+
+#
+# MDEV-18298 Crashes server with segfault during role grants
+#
+create table db_copy as select * from mysql.db;
+delete from mysql.db;
+flush privileges;
+
+create user u1@localhost;
+create role r1;
+create role r2;
+grant r1 to u1@localhost;
+grant select on test.* to r2;
+grant select on m_.* to r2;
+grant r2 to r1;
+show grants for u1@localhost;
+show grants for r1;
+drop user u1@localhost;
+drop role r1, r2;
+
+insert mysql.db select * from db_copy;
+flush privileges;
+drop table db_copy;
--- a/sql/sql_acl.cc
+++ b/sql/sql_acl.cc
@@ -5311,7 +5311,7 @@ static bool merge_role_db_privileges(ACL_ROLE *grantee, const char *dbname,
  ulong UNINIT_VAR(access), update_flags= 0;
  for (int *p= dbs.front(); p <= dbs.back(); p++)
  {
-    if (first<0 || (!dbname && strcmp(acl_dbs.at(*p).db, acl_dbs.at(*p-1).db)))
+    if (first<0 || (!dbname && strcmp(acl_dbs.at(p[0]).db, acl_dbs.at(p[-1]).db)))
    { // new db name series
      update_flags|= update_role_db(merged, first, access, grantee->user.str);
      merged= -1;