MDEV-24524 Assertion `ls->length < 0xFFFFFFFFL && ((ls->length == 0 && !ls->str) || ls->length == strlen(ls->str))' failed in String::append on SELECT from I_S

don't expect return type of a stored function to be valid.
it's read from a table, so can be messed with.
it even can contain \0 bytes in the middle of the type name

3 files changed, 19 insertions, 5 deletions

diff --git a/mysql-test/main/sp-ucs2.result b/mysql-test/main/sp-ucs2.result
index ca448efa535..0f5624314d7 100644
--- a/mysql-test/main/sp-ucs2.result
+++ b/mysql-test/main/sp-ucs2.result
@@ -115,7 +115,6 @@ RETURN 'str';
 END|
 ERROR 42000: COLLATION 'ucs2_unicode_ci' is not valid for CHARACTER SET 'latin1'
 SET NAMES utf8;
-DROP FUNCTION IF EXISTS bug48766;
 CREATE FUNCTION bug48766 ()
 RETURNS ENUM( 'w' ) CHARACTER SET ucs2
 RETURN 0;
@@ -140,3 +139,10 @@ WHERE ROUTINE_NAME='bug48766';
 DTD_IDENTIFIER
 enum('а','б','в','г')
 DROP FUNCTION bug48766;
+call mtr.add_suppression('invalid value in column mysql.proc.');
+set collation_connection=ucs2_general_ci;
+insert into mysql.proc (db, name, type, specific_name, language, sql_data_access, is_deterministic, security_type, param_list, returns, body, definer, created, modified, sql_mode, comment, character_set_client, collation_connection, db_collation, body_utf8 ) values ( 'a', 'a', 'function', 'bug14233_1', 'sql', 'reads_sql_data', 'no', 'definer', '', 'int(10)', 'select * from mysql.user', 'root@localhost', now(), '0000-00-00 00:00:00', '', '', '', '', '', 'select * from mysql.user' );
+select * from information_schema.routines where routine_name='a';
+ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '' at line 1
+set collation_connection=default;
+delete from mysql.proc where name='a';
diff --git a/mysql-test/main/sp-ucs2.test b/mysql-test/main/sp-ucs2.test
index a1aec8071b4..004d62f4cc5 100644
--- a/mysql-test/main/sp-ucs2.test
+++ b/mysql-test/main/sp-ucs2.test
@@ -151,9 +151,6 @@ delimiter ;|
 # Bug#48766 SHOW CREATE FUNCTION returns extra data in return clause
 #
 SET NAMES utf8;
---disable_warnings
-DROP FUNCTION IF EXISTS bug48766;
---enable_warnings
 #
 # Test that Latin letters are not prepended with extra '\0'.
 #
@@ -175,3 +172,14 @@ SELECT DTD_IDENTIFIER FROM INFORMATION_SCHEMA.ROUTINES
 WHERE ROUTINE_NAME='bug48766';
 
 DROP FUNCTION bug48766;
+
+#
+#
+#
+call mtr.add_suppression('invalid value in column mysql.proc.');
+set collation_connection=ucs2_general_ci;
+insert into mysql.proc (db, name, type, specific_name, language, sql_data_access, is_deterministic, security_type, param_list, returns, body, definer, created, modified, sql_mode, comment, character_set_client, collation_connection, db_collation, body_utf8 ) values ( 'a', 'a', 'function', 'bug14233_1', 'sql', 'reads_sql_data', 'no', 'definer', '', 'int(10)', 'select * from mysql.user', 'root@localhost', now(), '0000-00-00 00:00:00', '', '', '', '', '', 'select * from mysql.user' );
+--error ER_PARSE_ERROR
+select * from information_schema.routines where routine_name='a';
+set collation_connection=default;
+delete from mysql.proc where name='a';
diff --git a/sql/sp.cc b/sql/sp.cc
index 98e94ac06cf..a4c4ca58414 100644
--- a/sql/sp.cc
+++ b/sql/sp.cc
@@ -2948,7 +2948,7 @@ Sp_handler::show_create_sp(THD *thd, String *buf,
       buf->append(STRING_WITH_LEN(" RETURN "));
     else
       buf->append(STRING_WITH_LEN(" RETURNS "));
-    buf->append(&returns);
+    buf->append(returns.str, returns.length);   // Not \0 terminated
   }
   buf->append('\n');
   switch (chistics.daccess) {