Bug#12368853 FORMAT() CRASHES WITH LARGE NUMBERS AFTER TRUNCATE...

mysql-test/r/type_float.result:
  New test case.
mysql-test/t/type_float.test:
  New test case.
sql/item_strfunc.cc:
  There was a buffer over/under-run when inserting decimal point into an empty string.

mysql-test/r/type_float.result

@@ -441,3 +441,9 @@ select least(-1.1111111111111111111111111,
 select concat((truncate((-1.7976931348623157E+307),(0x1e))),
 (99999999999999999999999999999999999999999999999999999999999999999)) into @a;
 End of 5.0 tests
+#
+# Bug#12368853 FORMAT() CRASHES WITH LARGE NUMBERS AFTER TRUNCATE...
+#
+select format(truncate('1.7976931348623157E+308',-12),1,'fr_BE') as foo;
+foo
+0

mysql-test/t/type_float.test

@@ -325,3 +325,9 @@ eval select concat((truncate((-1.7976931348623157E+307),(0x1e))),
 --enable_result_log
 
 --echo End of 5.0 tests
+
+--echo #
+--echo # Bug#12368853 FORMAT() CRASHES WITH LARGE NUMBERS AFTER TRUNCATE...
+--echo #
+
+select format(truncate('1.7976931348623157E+308',-12),1,'fr_BE') as foo;

sql/item_strfunc.cc

@@ -2316,7 +2316,7 @@ String *Item_func_format::val_str_ascii(String *str)
       return 0; /* purecov: inspected */
     nr= my_double_round(nr, (longlong) dec, FALSE, FALSE);
     str->set_real(nr, dec, &my_charset_numeric);
-    if (isnan(nr))
+    if (isnan(nr) || my_isinf(nr))
       return str;
     str_length=str->length();
   }
@@ -2372,6 +2372,7 @@ String *Item_func_format::val_str_ascii(String *str)
       For short values without thousands (<1000)
       replace decimal point to localized value.
     */
+    DBUG_ASSERT(dec_length <= str_length);
     ((char*) str->ptr())[str_length - dec_length]= lc->decimal_point;
   }
   return str;