Commit 29b6d554 authored by unknown's avatar unknown
Browse files

Bug #26281: 

 Fixed boundry checks in the INSERT() function:
 were one off.


mysql-test/r/func_str.result:
  Bug #26281: test case
mysql-test/t/func_str.test:
  Bug #26281: test case
sql/item_strfunc.cc:
  Bug #26281: fixed boundry checks
parent 1631f65d

mysql-test/r/func_str.result

+12 −0
Original line number Diff line number Diff line
@@ -1946,4 +1946,16 @@ NULL 
SELECT UNHEX('G') IS NULL;

UNHEX('G') IS NULL

1

SELECT INSERT('abc', 3, 3, '1234');

INSERT('abc', 3, 3, '1234')

ab1234

SELECT INSERT('abc', 4, 3, '1234');

INSERT('abc', 4, 3, '1234')

abc1234

SELECT INSERT('abc', 5, 3, '1234');

INSERT('abc', 5, 3, '1234')

abc

SELECT INSERT('abc', 6, 3, '1234');

INSERT('abc', 6, 3, '1234')

abc

End of 5.0 tests

mysql-test/t/func_str.test

+8 −0
Original line number Diff line number Diff line
@@ -1014,4 +1014,12 @@ select lpad('abc', cast(5 as unsigned integer), 'x'); 
SELECT UNHEX('G');

SELECT UNHEX('G') IS NULL;



#

# Bug #26281: INSERT() function mishandles NUL on boundary condition

#

SELECT INSERT('abc', 3, 3, '1234');

SELECT INSERT('abc', 4, 3, '1234');

SELECT INSERT('abc', 5, 3, '1234');

SELECT INSERT('abc', 6, 3, '1234');



--echo End of 5.0 tests

sql/item_strfunc.cc

+5 −5
Original line number Diff line number Diff line
@@ -967,18 +967,18 @@ String *Item_func_insert::val_str(String *str) 
      args[3]->null_value)

    goto null; /* purecov: inspected */



  if ((start < 0) || (start > res->length() + 1))

  if ((start < 0) || (start > res->length()))

    return res;                                 // Wrong param; skip insert

  if ((length < 0) || (length > res->length() + 1))

    length= res->length() + 1;

  if ((length < 0) || (length > res->length()))

    length= res->length();



  /* start and length are now sufficiently valid to pass to charpos function */

  start= res->charpos((int) start);

  length= res->charpos((int) length, (uint32) start);



  /* Re-testing with corrected params */

  if (start > res->length() + 1)

    return res;                                 // Wrong param; skip insert

  if (start > res->length())

    return res; /* purecov: inspected */        // Wrong param; skip insert

  if (length > res->length() - start)

    length= res->length() - start;