Bug #26281:

 Fixed boundry checks in the INSERT() function:
 were one off.
parent 999c1cdc
......@@ -1946,4 +1946,16 @@ NULL
SELECT UNHEX('G') IS NULL;
UNHEX('G') IS NULL
1
SELECT INSERT('abc', 3, 3, '1234');
INSERT('abc', 3, 3, '1234')
ab1234
SELECT INSERT('abc', 4, 3, '1234');
INSERT('abc', 4, 3, '1234')
abc1234
SELECT INSERT('abc', 5, 3, '1234');
INSERT('abc', 5, 3, '1234')
abc
SELECT INSERT('abc', 6, 3, '1234');
INSERT('abc', 6, 3, '1234')
abc
End of 5.0 tests
......@@ -1014,4 +1014,12 @@ select lpad('abc', cast(5 as unsigned integer), 'x');
SELECT UNHEX('G');
SELECT UNHEX('G') IS NULL;
#
# Bug #26281: INSERT() function mishandles NUL on boundary condition
#
SELECT INSERT('abc', 3, 3, '1234');
SELECT INSERT('abc', 4, 3, '1234');
SELECT INSERT('abc', 5, 3, '1234');
SELECT INSERT('abc', 6, 3, '1234');
--echo End of 5.0 tests
......@@ -967,18 +967,18 @@ String *Item_func_insert::val_str(String *str)
args[3]->null_value)
goto null; /* purecov: inspected */
if ((start < 0) || (start > res->length() + 1))
if ((start < 0) || (start > res->length()))
return res; // Wrong param; skip insert
if ((length < 0) || (length > res->length() + 1))
length= res->length() + 1;
if ((length < 0) || (length > res->length()))
length= res->length();
/* start and length are now sufficiently valid to pass to charpos function */
start= res->charpos((int) start);
length= res->charpos((int) length, (uint32) start);
/* Re-testing with corrected params */
if (start > res->length() + 1)
return res; // Wrong param; skip insert
if (start > res->length())
return res; /* purecov: inspected */ // Wrong param; skip insert
if (length > res->length() - start)
length= res->length() - start;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment