Merge with 5.1 to get in changes from MySQL 5.1.55

author: Michael Widenius <monty@askmonty.org> 2011-02-28 19:39:30 +0200
committer: Michael Widenius <monty@askmonty.org> 2011-02-28 19:39:30 +0200
commit: 3358cdd5048671ee6cbbf50c291f7e0d0fda8e1e (patch)
tree: da0e622896425203d23ecdfd1bc77b57e3502edf /sql/item_strfunc.cc
parent: 869f5d0e81d5cbecaec3605f292fbb363b9ccbf6 (diff)
parent: f83e594218a6d19da2fa1ea2a01d860c30fe2913 (diff)
download: mariadb-git-3358cdd5048671ee6cbbf50c291f7e0d0fda8e1e.tar.gz
1 files changed, 7 insertions, 1 deletions
diff --git a/sql/item_strfunc.cc b/sql/item_strfunc.cc
index aebbc21b0fc..ad88fe31a0d 100644
--- a/sql/item_strfunc.cc
+++ b/sql/item_strfunc.cc
@@ -905,9 +905,15 @@ String *Item_func_replace::val_str(String *str)
     search=res2->ptr();
     search_end=search+from_length;
 redo:
+    DBUG_ASSERT(res->ptr() || !offset);
     ptr=res->ptr()+offset;
     strend=res->ptr()+res->length();
-    end=strend-from_length+1;
+    /*
+      In some cases val_str() can return empty string
+      with ptr() == NULL and length() == 0.
+      Let's check strend to avoid overflow.
+    */
+    end= strend ? strend - from_length + 1 : NULL;
     while (ptr < end)
     {
         if (*ptr == *search)
author	Michael Widenius <monty@askmonty.org>	2011-02-28 19:39:30 +0200
committer	Michael Widenius <monty@askmonty.org>	2011-02-28 19:39:30 +0200
commit	3358cdd5048671ee6cbbf50c291f7e0d0fda8e1e (patch)
tree	da0e622896425203d23ecdfd1bc77b57e3502edf /sql/item_strfunc.cc
parent	869f5d0e81d5cbecaec3605f292fbb363b9ccbf6 (diff)
parent	f83e594218a6d19da2fa1ea2a01d860c30fe2913 (diff)
download	mariadb-git-3358cdd5048671ee6cbbf50c291f7e0d0fda8e1e.tar.gz