Description:
Executing the following procedure will cause the mysql-server to crash with signal 8 on :

DELIMITER '|';

DROP PROCEDURE IF EXISTS test_proc|
CREATE PROCEDURE test_proc(IN _pad tinyint(4) unsigned, IN _offset int(11) unsigned)

BEGIN
    select repeat('0', _pad - length(_offset));
END|

DELIMITER ';'|

mysql> call test_proc(1,1);
ERROR 2013 (HY000): Lost connection to MySQL server during query
mysql>    

This issue was observed on mysql-5.0.37 (statically compiled from mysql.com).
This issue could _not_ be observed on mysql-5.0.26 (statically compiled from mysql.com).

The following workaround works for me:

CREATE PROCEDURE test_proc(IN _pad tinyint(4) unsigned, IN _offset int(11) unsigned)

BEGIN
    set @repeat_length = _pad - length(_offset);
    select repeat('0', @repeat_length);
END|

How to repeat:
see description - just add the procedure and call it.

Suggested fix:

I just noticed:
e.g. call test_proc(3,1) works, just call test_proc(1,1) crashes

Thank you for the report.

Verified as described with last BK mysql-5.0-comunity and mysql-5.1 on Mac OS X

Other versions are not affected.

Just in case this helps: 
We just discovered that the bug is always triggered when using a unsigned 0 as count-parameter of the repeat-function.

This is even not related to stored procedures anymore. My mysql crashed when issuing the following statement on the mysql-commandline:

SELECT REPEAT('0', CAST(0 AS UNSIGNED));

Program received signal SIGFPE, Arithmetic exception.
0x0818e564 in Item_func_repeat::val_str (this=0x87ca070, str=0xb74b9fb4)
    at item_strfunc.cc:2264
2264      if (length > current_thd->variables.max_allowed_packet / (uint) count)
(gdb) print count
$1 = <value optimized out>
(gdb) print (uint) count
$2 = 0
(gdb) bt
#0  0x0818e564 in Item_func_repeat::val_str (this=0x87ca070, str=0xb74b9fb4)
    at item_strfunc.cc:2264
#1  0x0814d135 in Item::send (this=0x87ca070, protocol=0x87911f8, 
    buffer=0xb74b9fb4) at item.cc:4707
#2  0x081ce02e in select_send::send_data (this=0x87ca1e8, items=@0x8790a80)
    at sql_class.cc:964
#3  0x0824e5d3 in JOIN::exec (this=0x87ca1f8) at sql_select.cc:1440
#4  0x082511c3 in mysql_select (thd=0x8790718, rref_pointer_array=0x8790b10, 
    tables=0x0, wild_num=0, fields=@0x8790a80, conds=0x0, og_num=0, order=0x0, 
    group=0x0, having=0x0, proc_param=0x0, select_options=2189707776, 
    result=0x87ca1e8, unit=0x87907bc, select_lex=0x87909f4)
    at sql_select.cc:2097
#5  0x08251764 in handle_select (thd=0x8790718, lex=0x8790758, 
    result=0x87ca1e8, setup_tables_done_option=0) at sql_select.cc:256
#6  0x081fc0a0 in mysql_execute_command (thd=0x8790718) at sql_parse.cc:2628
#7  0x081fd033 in mysql_parse (thd=0x8790718, 
    inBuf=0x87c9e50 "SELECT REPEAT('0', CAST(0 AS UNSIGNED))", length=39)
    at sql_parse.cc:5948

This is, AFAIK, already solved.

This bug was introduced by the patch for bug#10963.

The patch for bug#25197 actually has fixed bug#27073 as well:
 
mysql> SELECT VERSION();
+--------------+
| VERSION()    |
+--------------+
| 5.0.40-debug |
+--------------+
1 row in set (0.00 sec)

mysql> SELECT REPEAT('0', CAST(0 AS UNSIGNED));
+----------------------------------+
| REPEAT('0', CAST(0 AS UNSIGNED)) |
+----------------------------------+
|                                  |
+----------------------------------+
1 row in set (0.00 sec)

mysql> SELECT REPEAT('0', -2);
+-----------------+
| REPEAT('0', -2) |
+-----------------+
|                 |
+-----------------+
1 row in set (0.01 sec)

mysql> SELECT REPEAT('0', 2);
+----------------+
| REPEAT('0', 2) |
+----------------+
| 00             |
+----------------+
1 row in set (0.00 sec)

That's why I mark this bug as a duplicate of bug#25197.

Pushed into 5.0.40

Pushed into 5.1.18-beta