Bug #26281:

 Fixed boundry checks in the INSERT() function:
 were one off.
parent 999c1cdc
...@@ -1946,4 +1946,16 @@ NULL ...@@ -1946,4 +1946,16 @@ NULL
SELECT UNHEX('G') IS NULL; SELECT UNHEX('G') IS NULL;
UNHEX('G') IS NULL UNHEX('G') IS NULL
1 1
SELECT INSERT('abc', 3, 3, '1234');
INSERT('abc', 3, 3, '1234')
ab1234
SELECT INSERT('abc', 4, 3, '1234');
INSERT('abc', 4, 3, '1234')
abc1234
SELECT INSERT('abc', 5, 3, '1234');
INSERT('abc', 5, 3, '1234')
abc
SELECT INSERT('abc', 6, 3, '1234');
INSERT('abc', 6, 3, '1234')
abc
End of 5.0 tests End of 5.0 tests
...@@ -1014,4 +1014,12 @@ select lpad('abc', cast(5 as unsigned integer), 'x'); ...@@ -1014,4 +1014,12 @@ select lpad('abc', cast(5 as unsigned integer), 'x');
SELECT UNHEX('G'); SELECT UNHEX('G');
SELECT UNHEX('G') IS NULL; SELECT UNHEX('G') IS NULL;
#
# Bug #26281: INSERT() function mishandles NUL on boundary condition
#
SELECT INSERT('abc', 3, 3, '1234');
SELECT INSERT('abc', 4, 3, '1234');
SELECT INSERT('abc', 5, 3, '1234');
SELECT INSERT('abc', 6, 3, '1234');
--echo End of 5.0 tests --echo End of 5.0 tests
...@@ -967,18 +967,18 @@ String *Item_func_insert::val_str(String *str) ...@@ -967,18 +967,18 @@ String *Item_func_insert::val_str(String *str)
args[3]->null_value) args[3]->null_value)
goto null; /* purecov: inspected */ goto null; /* purecov: inspected */
if ((start < 0) || (start > res->length() + 1)) if ((start < 0) || (start > res->length()))
return res; // Wrong param; skip insert return res; // Wrong param; skip insert
if ((length < 0) || (length > res->length() + 1)) if ((length < 0) || (length > res->length()))
length= res->length() + 1; length= res->length();
/* start and length are now sufficiently valid to pass to charpos function */ /* start and length are now sufficiently valid to pass to charpos function */
start= res->charpos((int) start); start= res->charpos((int) start);
length= res->charpos((int) length, (uint32) start); length= res->charpos((int) length, (uint32) start);
/* Re-testing with corrected params */ /* Re-testing with corrected params */
if (start > res->length() + 1) if (start > res->length())
return res; // Wrong param; skip insert return res; /* purecov: inspected */ // Wrong param; skip insert
if (length > res->length() - start) if (length > res->length() - start)
length= res->length() - start; length= res->length() - start;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment