MySQL Bugs: #26281: INSERT() function mishandles NUL on boundary condition

Bug #26281	INSERT() function mishandles NUL on boundary condition
Submitted:	12 Feb 2007 11:35	Modified:	15 Mar 2007 4:45
Reporter:	Bob Stein (Candidate Quality Contributor)	Email Updates:
Status:	Closed	Impact on me:	None
Category:	MySQL Server: General	Severity:	S3 (Non-critical)
Version:	5.0 BK, 5.1 BK, 5.2.0-falcon-alpha	OS:	Linux (Linux, Windows 2000)
Assigned to:	Georgi Kodinov	CPU Architecture:	Any
Tags:	FUNCTION, insert, nul

Description:
INSERT() function (not the INSERT statement) seems to be converting an internal NUL string terminator to a character in the string, and returning it in the result.  This seems to happen only when the "pos" parameter is 1 beyond the right edge (when pos == length+2).

How to repeat:
The following statement:

   SELECT INSERT('abcdefghijklmnopqrstuvwDEFxyz', 31, 3, '123456789');

generates the following string (PHP syntax):

   "abcdefghijklmnopqrstuvwdefxyz" . "\0" . "123456789"

when it should generate simply:

   "abcdefghijklmnopqrstuvwdefxyz"

Thank you for the report.

Verified as described.

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/21473

ChangeSet@1.2435, 2007-03-08 12:32:29+02:00, gkodinov@magare.gmz +3 -0
  Bug #26281:
   Fixed boundry checks in the INSERT() function:
   were one off.

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/21579

ChangeSet@1.2435, 2007-03-09 12:47:12+02:00, gkodinov@magare.gmz +3 -0
  Bug #26281:
   Fixed boundry checks in the INSERT() function:
   were one off.

Pushed to 5.0.38, 5.1.17

Noted in 5.0.38, 5.1.17 changelogs.

For some values of the position argument, the INSERT() function could
insert a NUL byte into the result.