merge

author: Georgi Kodinov <Georgi.Kodinov@Oracle.com> 2010-12-16 16:40:52 +0200
committer: Georgi Kodinov <Georgi.Kodinov@Oracle.com> 2010-12-16 16:40:52 +0200
commit: b908a74bc93607e39958aaafd0f28821c6cd94fb (patch)
tree: 99ca0d190d46ddddecfc124efe2f2cfc7a4f604a /sql/item_strfunc.cc
parent: 338e0d5cac3a772efe2b4ac451f4defd28c4a4ce (diff)
parent: f1431e158281596497e5cc33adcd6d84ca4b10a4 (diff)
download: mariadb-git-b908a74bc93607e39958aaafd0f28821c6cd94fb.tar.gz
1 files changed, 7 insertions, 1 deletions
diff --git a/sql/item_strfunc.cc b/sql/item_strfunc.cc
index 8fda281bd9e..fd5c47d25cb 100644
--- a/sql/item_strfunc.cc
+++ b/sql/item_strfunc.cc
@@ -904,9 +904,15 @@ String *Item_func_replace::val_str(String *str)
     search=res2->ptr();
     search_end=search+from_length;
 redo:
+    DBUG_ASSERT(res->ptr() || !offset);
     ptr=res->ptr()+offset;
     strend=res->ptr()+res->length();
-    end=strend-from_length+1;
+    /*
+      In some cases val_str() can return empty string
+      with ptr() == NULL and length() == 0.
+      Let's check strend to avoid overflow.
+    */
+    end= strend ? strend - from_length + 1 : NULL;
     while (ptr < end)
     {
         if (*ptr == *search)
author	Georgi Kodinov <Georgi.Kodinov@Oracle.com>	2010-12-16 16:40:52 +0200
committer	Georgi Kodinov <Georgi.Kodinov@Oracle.com>	2010-12-16 16:40:52 +0200
commit	b908a74bc93607e39958aaafd0f28821c6cd94fb (patch)
tree	99ca0d190d46ddddecfc124efe2f2cfc7a4f604a /sql/item_strfunc.cc
parent	338e0d5cac3a772efe2b4ac451f4defd28c4a4ce (diff)
parent	f1431e158281596497e5cc33adcd6d84ca4b10a4 (diff)
download	mariadb-git-b908a74bc93607e39958aaafd0f28821c6cd94fb.tar.gz