From 9542641dae2c2ece410a0986fc2ac52e1dc11ce1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Markus=20M=C3=A4kel=C3=A4?= <markus.makela@mariadb.com>
Date: Fri, 18 Jan 2019 09:58:55 +0200
Subject: [PATCH] Fix buffer overrun on non-terminated comment

Also made the behavior consistent when an incomplete comment is found.
---
 server/core/modutil.cc                            | 14 +++++++++++++-
 server/core/test/canonical_tests/comment.expected |  4 ++++
 server/core/test/canonical_tests/comment.sql      |  4 ++++
 3 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/server/core/modutil.cc b/server/core/modutil.cc
index ce0d35a20..a425d55d1 100644
--- a/server/core/modutil.cc
+++ b/server/core/modutil.cc
@@ -1466,7 +1466,11 @@ std::string get_canonical(GWBUF* querybuf)
         else if (*it == '/' && is_next(it, buf.end(), "/*"))
         {
             auto comment_start = std::next(it, 2);
-            if (comment_start != buf.end() && *comment_start != '!' && *comment_start != 'M')
+            if (comment_start == buf.end())
+            {
+                break;
+            }
+            else if (*comment_start != '!' && *comment_start != 'M')
             {
                 // Non-executable comment
                 while (it != buf.end())
@@ -1479,6 +1483,11 @@ std::string get_canonical(GWBUF* querybuf)
                     }
                     ++it;
                 }
+
+                if (it == buf.end())
+                {
+                    break;
+                }
             }
             else
             {
@@ -1507,6 +1516,7 @@ std::string get_canonical(GWBUF* querybuf)
 
                 ++it;
             }
+
             if (it == buf.end())
             {
                 break;
@@ -1545,6 +1555,8 @@ std::string get_canonical(GWBUF* querybuf)
         {
             rval[i++] = *it;
         }
+
+        mxb_assert(it != buf.end());
     }
 
     // Shrink the buffer so that the internal bookkeeping of std::string remains up to date
diff --git a/server/core/test/canonical_tests/comment.expected b/server/core/test/canonical_tests/comment.expected
index e0d89b991..5b7da71a1 100644
--- a/server/core/test/canonical_tests/comment.expected
+++ b/server/core/test/canonical_tests/comment.expected
@@ -9,3 +9,7 @@ SELECT ? /*! +? */;
 SELECT ? /*!? +? */;
 SELECT ? /*M! +? */;
 SELECT ? /*M!? +? */;
+SELECT ?
+SELECT ?
+SELECT ?
+SELECT ?
diff --git a/server/core/test/canonical_tests/comment.sql b/server/core/test/canonical_tests/comment.sql
index 904752017..181f6db1f 100644
--- a/server/core/test/canonical_tests/comment.sql
+++ b/server/core/test/canonical_tests/comment.sql
@@ -9,3 +9,7 @@ SELECT 1 /*! +1 */;
 SELECT 1 /*!50101 +1 */;
 SELECT 2 /*M! +1 */;
 SELECT 2 /*M!50101 +1 */;
+SELECT 2 /* 
+SELECT 2 /*
+SELECT 2 /*/
+SELECT 2 /**/