Bug #26281 INSERT() function mishandles NUL on boundary condition
Submitted: 12 Feb 2007 11:35 Modified: 15 Mar 2007 4:45
Reporter: Bob Stein (Candidate Quality Contributor) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: General Severity:S3 (Non-critical)
Version:5.0 BK, 5.1 BK, 5.2.0-falcon-alpha OS:Linux (Linux, Windows 2000)
Assigned to: Georgi Kodinov CPU Architecture:Any
Tags: FUNCTION, insert, nul

[12 Feb 2007 11:35] Bob Stein
Description:
INSERT() function (not the INSERT statement) seems to be converting an internal NUL string terminator to a character in the string, and returning it in the result.  This seems to happen only when the "pos" parameter is 1 beyond the right edge (when pos == length+2).

How to repeat:
The following statement:

   SELECT INSERT('abcdefghijklmnopqrstuvwDEFxyz', 31, 3, '123456789');

generates the following string (PHP syntax):

   "abcdefghijklmnopqrstuvwdefxyz" . "\0" . "123456789"

when it should generate simply:

   "abcdefghijklmnopqrstuvwdefxyz"
[19 Feb 2007 8:47] Sveta Smirnova
Thank you for the report.

Verified as described.
[8 Mar 2007 11:02] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/21473

ChangeSet@1.2435, 2007-03-08 12:32:29+02:00, gkodinov@magare.gmz +3 -0
  Bug #26281:
   Fixed boundry checks in the INSERT() function:
   were one off.
[9 Mar 2007 10:47] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/21579

ChangeSet@1.2435, 2007-03-09 12:47:12+02:00, gkodinov@magare.gmz +3 -0
  Bug #26281:
   Fixed boundry checks in the INSERT() function:
   were one off.
[12 Mar 2007 5:14] Igor Babaev
Pushed to 5.0.38, 5.1.17
[15 Mar 2007 4:45] Paul Dubois
Noted in 5.0.38, 5.1.17 changelogs.

For some values of the position argument, the INSERT() function could
insert a NUL byte into the result.