Bug#48319: Server crashes on "GRANT/REVOKE ... TO CURRENT_USER"

CURRENT_USER() in GRANT ... TO CURRENT_USER() only gave us a definer,
not a full user (i.e., password-element was not initiliazed). Hence
dereferencing the password led to a crash.

Properly initializes definers now, just so there are no misunderstandings.
Also does some magic so IDENTIFIED BY ... works with CURRENT_USER().

2 files changed, 12 insertions, 0 deletions

diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc
index 0592bb3be1d..5259b560532 100644
--- a/sql/sql_acl.cc
+++ b/sql/sql_acl.cc
@@ -3451,6 +3451,13 @@ bool mysql_grant(THD *thd, const char *db, List <LEX_USER> &list,
       result= TRUE;
       continue;
     }
+    /*
+      No User, but a password?
+      They did GRANT ... TO CURRENT_USER() IDENTIFIED BY ... !
+      Get the current user, and shallow-copy the new password to them!
+    */
+    if (!tmp_Str->user.str && tmp_Str->password.str)
+      Str->password= tmp_Str->password;
     if (replace_user_table(thd, tables[0].table, *Str,
                            (!db ? rights : 0), revoke_grant, create_new_users,
                            test(thd->variables.sql_mode &
diff --git a/sql/sql_parse.cc b/sql/sql_parse.cc
index 2e150ca1542..65d86814045 100644
--- a/sql/sql_parse.cc
+++ b/sql/sql_parse.cc
@@ -7573,6 +7573,9 @@ void get_default_definer(THD *thd, LEX_USER *definer)
 
   definer->host.str= (char *) sctx->priv_host;
   definer->host.length= strlen(definer->host.str);
+
+  definer->password.str= NULL;
+  definer->password.length= 0;
 }
 
 
@@ -7624,6 +7627,8 @@ LEX_USER *create_definer(THD *thd, LEX_STRING *user_name, LEX_STRING *host_name)
 
   definer->user= *user_name;
   definer->host= *host_name;
+  definer->password.str= NULL;
+  definer->password.length= 0;
 
   return definer;
 }