This is the bug described in comment 1 of bug 14655, which is not a security issue in itself, but cannot easily be fixed separately. I'm putting it here to track it. When bug 14655 is public, this one can be public.

See attachment 16501 [details]

ldb_handler_fold() makes mistakes when collapsing multiple internal spaces down to a single space. 

When trying to add a test asserting that "1    0" would match "*1 0" (because all those spaces shrink to one, and "*X" matches "X"), I found that instead "1    0" was being converted to "1 0  0": the internal spaces were shrunk, but the terminating '\0' was not added and the ldb_val length was not adjusted.


That's because here:

	/* check middle spaces */
	while ((t = strchr(s, ' ')) != NULL) {
		for (s = t; *s == ' '; s++) ;

		if ((s - t) > 1) {
			l = strlen(s);

			/* remove all spaces but one by moving down the string */
			memmove(t + 1, s, l);
		}
	}

let's label our four spaces a, b, c, d and assume a terminated string. We have the 7 bytes {'1', a, b, c, d, '0', '\0'}. 
The strchr() points t to space a.
The for loop walks s along the spaces until it hits '0'.  
`s - t` is 4, so we set l to strlen(s) which is 1. 
Then we memmove(b, s, 1). That copies the '0' to position b.
Next strchr hits the '\0' and we're done, leaving us with "1 0  0".

The proposed fix is to walk though the whole string simply and carefully in a single loop, stepping over extra spaces as we find them. This patch is written to go on top of attachment 16500 [details].