From 29b6d554028cd40459061b22d216c3b16cf6298e Mon Sep 17 00:00:00 2001
From: unknown <gkodinov/kgeorge@magare.gmz>
Date: Fri, 9 Mar 2007 12:47:12 +0200
Subject: [PATCH] Bug #26281:  Fixed boundry checks in the INSERT() function: 
 were one off.

mysql-test/r/func_str.result:
  Bug #26281: test case
mysql-test/t/func_str.test:
  Bug #26281: test case
sql/item_strfunc.cc:
  Bug #26281: fixed boundry checks
---
 mysql-test/r/func_str.result | 12 ++++++++++++
 mysql-test/t/func_str.test   |  8 ++++++++
 sql/item_strfunc.cc          | 10 +++++-----
 3 files changed, 25 insertions(+), 5 deletions(-)

diff --git a/mysql-test/r/func_str.result b/mysql-test/r/func_str.result
index d09d3aeb529..5e78e2572c1 100644
--- a/mysql-test/r/func_str.result
+++ b/mysql-test/r/func_str.result
@@ -1946,4 +1946,16 @@ NULL
 SELECT UNHEX('G') IS NULL;
 UNHEX('G') IS NULL
 1
+SELECT INSERT('abc', 3, 3, '1234');
+INSERT('abc', 3, 3, '1234')
+ab1234
+SELECT INSERT('abc', 4, 3, '1234');
+INSERT('abc', 4, 3, '1234')
+abc1234
+SELECT INSERT('abc', 5, 3, '1234');
+INSERT('abc', 5, 3, '1234')
+abc
+SELECT INSERT('abc', 6, 3, '1234');
+INSERT('abc', 6, 3, '1234')
+abc
 End of 5.0 tests
diff --git a/mysql-test/t/func_str.test b/mysql-test/t/func_str.test
index 2e76dc2ca31..775e273b384 100644
--- a/mysql-test/t/func_str.test
+++ b/mysql-test/t/func_str.test
@@ -1014,4 +1014,12 @@ select lpad('abc', cast(5 as unsigned integer), 'x');
 SELECT UNHEX('G');
 SELECT UNHEX('G') IS NULL;
 
+#
+# Bug #26281: INSERT() function mishandles NUL on boundary condition
+#
+SELECT INSERT('abc', 3, 3, '1234');
+SELECT INSERT('abc', 4, 3, '1234');
+SELECT INSERT('abc', 5, 3, '1234');
+SELECT INSERT('abc', 6, 3, '1234');
+
 --echo End of 5.0 tests
diff --git a/sql/item_strfunc.cc b/sql/item_strfunc.cc
index 385f4ad9770..8a2574bd248 100644
--- a/sql/item_strfunc.cc
+++ b/sql/item_strfunc.cc
@@ -967,18 +967,18 @@ String *Item_func_insert::val_str(String *str)
       args[3]->null_value)
     goto null; /* purecov: inspected */
 
-  if ((start < 0) || (start > res->length() + 1))
+  if ((start < 0) || (start > res->length()))
     return res;                                 // Wrong param; skip insert
-  if ((length < 0) || (length > res->length() + 1))
-    length= res->length() + 1;
+  if ((length < 0) || (length > res->length()))
+    length= res->length();
 
   /* start and length are now sufficiently valid to pass to charpos function */
   start= res->charpos((int) start);
   length= res->charpos((int) length, (uint32) start);
 
   /* Re-testing with corrected params */
-  if (start > res->length() + 1)
-    return res;                                 // Wrong param; skip insert
+  if (start > res->length())
+    return res; /* purecov: inspected */        // Wrong param; skip insert
   if (length > res->length() - start)
     length= res->length() - start;