merge mysql-5.5->mysql-5.5-bugteam

author: Georgi Kodinov <Georgi.Kodinov@Oracle.com> 2010-12-16 18:44:17 +0200
committer: Georgi Kodinov <Georgi.Kodinov@Oracle.com> 2010-12-16 18:44:17 +0200
commit: c6b904abf8a139a3b95c9825cc7c53fd8f1a6fd0 (patch)
tree: a0d8f4957cf9d256a3cc3445c7db25384f97e249 /sql/item_strfunc.cc
parent: 28a5059a92707e009aada358bf103fa386ea7c2c (diff)
parent: 3d799bdffd04beba3dad4f1ece915104b0284157 (diff)
download: mariadb-git-c6b904abf8a139a3b95c9825cc7c53fd8f1a6fd0.tar.gz
1 files changed, 7 insertions, 1 deletions
diff --git a/sql/item_strfunc.cc b/sql/item_strfunc.cc
index 3c92c829144..2a93bcd0153 100644
--- a/sql/item_strfunc.cc
+++ b/sql/item_strfunc.cc
@@ -1080,9 +1080,15 @@ String *Item_func_replace::val_str(String *str)
     search=res2->ptr();
     search_end=search+from_length;
 redo:
+    DBUG_ASSERT(res->ptr() || !offset);
     ptr=res->ptr()+offset;
     strend=res->ptr()+res->length();
-    end=strend-from_length+1;
+    /*
+      In some cases val_str() can return empty string
+      with ptr() == NULL and length() == 0.
+      Let's check strend to avoid overflow.
+    */
+    end= strend ? strend - from_length + 1 : NULL;
     while (ptr < end)
     {
         if (*ptr == *search)
author	Georgi Kodinov <Georgi.Kodinov@Oracle.com>	2010-12-16 18:44:17 +0200
committer	Georgi Kodinov <Georgi.Kodinov@Oracle.com>	2010-12-16 18:44:17 +0200
commit	c6b904abf8a139a3b95c9825cc7c53fd8f1a6fd0 (patch)
tree	a0d8f4957cf9d256a3cc3445c7db25384f97e249 /sql/item_strfunc.cc
parent	28a5059a92707e009aada358bf103fa386ea7c2c (diff)
parent	3d799bdffd04beba3dad4f1ece915104b0284157 (diff)
download	mariadb-git-c6b904abf8a139a3b95c9825cc7c53fd8f1a6fd0.tar.gz