1 files changed, 51 insertions, 3 deletions

diff --git a/sql/item_create.cc b/sql/item_create.cc
index 49cc33b95a7..349c47816ad 100644
--- a/sql/item_create.cc
+++ b/sql/item_create.cc
@@ -5057,8 +5057,41 @@ create_func_cast(THD *thd, Item *a, Cast_target cast_type,
     break;
   case ITEM_CAST_DECIMAL:
   {
-    len= c_len ? atoi(c_len) : 0;
-    dec= c_dec ? atoi(c_dec) : 0;
+    if (c_len == NULL)
+    {
+      len= 0;
+    }
+    else
+    {
+      ulong decoded_size;
+      errno= 0;
+      decoded_size= strtoul(c_len, NULL, 10);
+      if (errno != 0)
+      {
+        my_error(ER_TOO_BIG_PRECISION, MYF(0), c_len, a->name,
+                 DECIMAL_MAX_PRECISION);
+        return NULL;
+      }
+      len= decoded_size;
+    }
+
+    if (c_dec == NULL)
+    {
+      dec= 0;
+    }
+    else
+    {
+      ulong decoded_size;
+      errno= 0;
+      decoded_size= strtoul(c_dec, NULL, 10);
+      if ((errno != 0) || (decoded_size > UINT_MAX))
+      {
+        my_error(ER_TOO_BIG_SCALE, MYF(0), c_dec, a->name,
+                 DECIMAL_MAX_SCALE);
+        return NULL;
+      }
+      dec= decoded_size;
+    }
     my_decimal_trim(&len, &dec);
     if (len < dec)
     {
@@ -5083,7 +5116,22 @@ create_func_cast(THD *thd, Item *a, Cast_target cast_type,
   case ITEM_CAST_CHAR:
   {
     CHARSET_INFO *real_cs= (cs ? cs : thd->variables.collation_connection);
-    len= c_len ? atoi(c_len) : -1;
+    if (c_len == NULL)
+    {
+      len= LL(-1);
+    }
+    else
+    {
+      ulong decoded_size;
+      errno= 0;
+      decoded_size= strtoul(c_len, NULL, 10);
+      if ((errno != 0) || (decoded_size > MAX_FIELD_BLOBLENGTH))
+      {
+        my_error(ER_TOO_BIG_DISPLAYWIDTH, MYF(0), "cast as char", MAX_FIELD_BLOBLENGTH);
+        return NULL;
+      }
+      len= decoded_size;
+    }
     res= new (thd->mem_root) Item_char_typecast(a, len, real_cs);
     break;
   }