Bug#25714674: MYSQL SERVER REMOTE PREAUTH PROBLEM THROUGH INTEGER OVERFLOW

Description: A missing length check for length-encoded string causes
             problem in preauthorization stage.

(cherry picked from commit bb1af908fce21b0d8708cdccde628e3d5b1d86ec)

Author: harinvadodaria

sql/sql_acl.cc

@@ -1,4 +1,4 @@
-/* Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
 sql_authenticate
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -10739,6 +10739,9 @@ char *get_56_lenc_string(char **buffer,
 {
   static char empty_string[1]= { '\0' };
   char *begin= *buffer;
+  uchar *pos= (uchar *)begin;
+  size_t required_length= 9;
+
 
   if (*max_bytes_available == 0)
     return NULL;
@@ -10759,13 +10762,39 @@ char *get_56_lenc_string(char **buffer,
     return empty_string;
   }
 
+  /* Make sure we have enough bytes available for net_field_length_ll */
+  {
+    DBUG_EXECUTE_IF("buffer_too_short_3",
+                    *pos= 252; *max_bytes_available= 2;
+    );
+    DBUG_EXECUTE_IF("buffer_too_short_4",
+                    *pos= 253; *max_bytes_available= 3;
+    );
+    DBUG_EXECUTE_IF("buffer_too_short_9",
+                    *pos= 254; *max_bytes_available= 8;
+    );
+
+    if (*pos <= 251)
+      required_length= 1;
+    if (*pos == 252)
+      required_length= 3;
+    if (*pos == 253)
+      required_length= 4;
+
+    if (*max_bytes_available < required_length)
+      return NULL;
+  }
+
   *string_length= (size_t)net_field_length_ll((uchar **)buffer);
 
   DBUG_EXECUTE_IF("sha256_password_scramble_too_long",
                   *string_length= SIZE_T_MAX;
   );
 
   size_t len_len= (size_t)(*buffer - begin);
+
+  DBUG_ASSERT((*max_bytes_available >= len_len) &&
+              (len_len == required_length));
 
   if (*string_length > *max_bytes_available - len_len)
     return NULL;