Bug #26281:

Fixed boundry checks in the INSERT() function:
 were one off.

mysql-test/r/func_str.result

@@ -1946,4 +1946,16 @@ NULL
 SELECT UNHEX('G') IS NULL;
 UNHEX('G') IS NULL
 1
+SELECT INSERT('abc', 3, 3, '1234');
+INSERT('abc', 3, 3, '1234')
+ab1234
+SELECT INSERT('abc', 4, 3, '1234');
+INSERT('abc', 4, 3, '1234')
+abc1234
+SELECT INSERT('abc', 5, 3, '1234');
+INSERT('abc', 5, 3, '1234')
+abc
+SELECT INSERT('abc', 6, 3, '1234');
+INSERT('abc', 6, 3, '1234')
+abc
 End of 5.0 tests

mysql-test/t/func_str.test

@@ -1014,4 +1014,12 @@ select lpad('abc', cast(5 as unsigned integer), 'x');
 SELECT UNHEX('G');
 SELECT UNHEX('G') IS NULL;
 
+#
+# Bug #26281: INSERT() function mishandles NUL on boundary condition
+#
+SELECT INSERT('abc', 3, 3, '1234');
+SELECT INSERT('abc', 4, 3, '1234');
+SELECT INSERT('abc', 5, 3, '1234');
+SELECT INSERT('abc', 6, 3, '1234');
+
 --echo End of 5.0 tests

sql/item_strfunc.cc

@@ -967,18 +967,18 @@ String *Item_func_insert::val_str(String *str)
       args[3]->null_value)
     goto null; /* purecov: inspected */
 
-  if ((start < 0) || (start > res->length() + 1))
+  if ((start < 0) || (start > res->length()))
     return res;                                 // Wrong param; skip insert
-  if ((length < 0) || (length > res->length() + 1))
-    length= res->length() + 1;
+  if ((length < 0) || (length > res->length()))
+    length= res->length();
 
   /* start and length are now sufficiently valid to pass to charpos function */
   start= res->charpos((int) start);
   length= res->charpos((int) length, (uint32) start);
 
   /* Re-testing with corrected params */
-  if (start > res->length() + 1)
-    return res;                                 // Wrong param; skip insert
+  if (start > res->length())
+    return res; /* purecov: inspected */        // Wrong param; skip insert
   if (length > res->length() - start)
     length= res->length() - start;