--- gawk-stable/builtin.c	2008-05-14 04:57:38.000000000 +0200
+++ gawk-stable.fixed/builtin.c	2008-07-04 23:48:14.000000000 +0200
@@ -1448,10 +1448,12 @@
 		if (! (d_length >= 1)) {
 			if (do_lint == LINT_ALL)
 				lintwarn(_("substr: length %g is not >= 1"), d_length);
-			else if (do_lint == LINT_INVALID && ! (d_length >= 0))
+			else if (do_lint == LINT_INVALID && ! (d_length >= 0)) {
 				lintwarn(_("substr: length %g is not >= 0"), d_length);
-			free_temp(t1);
-			return Nnull_string;
+				free_temp(t1);
+				return Nnull_string;
+			}
+			d_length = 0;
 		}
 		if (do_lint) {
 			if (double_to_int(d_length) != d_length)
@@ -1491,8 +1493,8 @@
 		if (do_lint)
 			lintwarn(_("substr: start index %g is past end of string"),
 				d_index);
-		free_temp(t1);
-		return Nnull_string;
+		indx = src_len;
+		length = 0;
 	}
 	if (length > src_len - indx) {
 		if (do_lint)
--- gawk-stable/ChangeLog	2008-06-24 21:33:42.000000000 +0200
+++ gawk-stable.fixed/ChangeLog	2008-07-04 23:52:36.000000000 +0200
@@ -1,3 +1,10 @@
+Fri Jul  4 21:39:34 2008  Steffen Schuler  <address@hidden>
+
+	* builtin.c (do_substr): Fixed bug for index > length or 
+	length == 0. Returns now empty string instead of uninitialized 
+	value. Thanks to Jorge Stolfi <address@hidden> for finding
+	the problem.
+	
 Tue Jun 24 07:44:06 2008  Arnold D. Robbins  <address@hidden>
 
 	* dfa.c (insert): Reworked for significant speed improvement