From 17c752211f039e214d6b055e5f160dfff297b3ae Mon Sep 17 00:00:00 2001
From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Mon, 19 Apr 2021 12:18:50 +0200
Subject: [PATCH] auth: Prevent dereferencing std::string::end() in SimpleMatch

SimpleMatch is called with user-supplied strings in the API and the
bind backend. We might get away with it in most cases because
std::strings are null-terminated, but it's still undefined behaviour
as there is no guarantee that end() will point to the terminator.

Reported by cppcheck 2.4.1:
```
misc.hh:501:16: warning: Either the condition 'mi==d_mask.end()' is redundant or there is possible dereference of an invalid iterator: mi. [derefInvalidIteratorRedundantCheck]
        while(*mi == '*') ++mi;
               ^
misc.hh:502:16: note: Assuming that condition 'mi==d_mask.end()' is not redundant
        if (mi == d_mask.end()) return true;
               ^
misc.hh:501:16: note: Dereference of an invalid iterator
        while(*mi == '*') ++mi;
```
---
 pdns/misc.hh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pdns/misc.hh b/pdns/misc.hh
index 44d4482870..38f06bc1b5 100644
--- a/pdns/misc.hh
+++ b/pdns/misc.hh
@@ -498,7 +498,7 @@ public:
         if (vi == vend) return false;
         ++vi;
       } else if (*mi == '*') {
-        while(*mi == '*') ++mi;
+        while(mi != mend && *mi == '*') ++mi;
         if (mi == d_mask.end()) return true;
         while(vi != vend) {
           if (match(mi,mend,vi,vend)) return true;
-- 
2.47.2