SUBSTR function may produce a malformed string. SUBSTR function uses a string builder to construct the output substring. Before constructing the string, it gives an estimated length of the output substring to the string builder and then starts writing out the substring data to the builder buffer. If the actual data written exceeds the estimated length by an amount that requires the builder buffer to make more space to encode the actual length and shift the substring content, the resulting content gets malformed which might lead to failures up in the stack.
Also, for the function call SUBSTR(input_string, 0, num_chars_to_substring) with start offset = 0, SUBSTR always estimates the length to be 0-127 which means if the characters written go beyond 127, it will encounter the issue described above.