Fixed bug #22015: crash with GROUP_CONCAT over a derived table

that returns the results of aggregation by GROUP_CONCAT.
The crash was due to an overflow happened for the field
sortoder->length.
The fix prevents this overflow exploiting the fact that the
value of sortoder->length cannot be greater than the value of
thd->variables.max_sort_length.

mysql-test/r/func_gconcat.result

@@ -654,3 +654,12 @@ CHAR_LENGTH( GROUP_CONCAT(b) )
 240001
 SET GROUP_CONCAT_MAX_LEN = 1024;
 DROP TABLE t1;
+CREATE TABLE t1 (a int, b int);
+INSERT INTO t1 VALUES (2,1), (1,2), (2,2), (1,3);
+SELECT GROUP_CONCAT(a), x 
+FROM (SELECT a, GROUP_CONCAT(b) x FROM t1 GROUP BY a) AS s
+GROUP BY x;
+GROUP_CONCAT(a)	x
+2	1,2
+1	2,3
+DROP TABLE t1;

mysql-test/t/func_gconcat.test

@@ -447,3 +447,18 @@ SELECT a, CHAR_LENGTH(b) FROM t1;
 SELECT CHAR_LENGTH( GROUP_CONCAT(b) ) FROM t1;
 SET GROUP_CONCAT_MAX_LEN = 1024;
 DROP TABLE t1;
+
+#
+# Bug #22015: crash with GROUP_CONCAT over a derived table that 
+#             returns the results of aggregation by GROUP_CONCAT  
+#
+
+CREATE TABLE t1 (a int, b int);
+
+INSERT INTO t1 VALUES (2,1), (1,2), (2,2), (1,3);
+
+SELECT GROUP_CONCAT(a), x 
+  FROM (SELECT a, GROUP_CONCAT(b) x FROM t1 GROUP BY a) AS s
+    GROUP BY x;
+
+DROP TABLE t1;

sql/filesort.cc

@@ -1268,6 +1268,7 @@ sortlength(THD *thd, SORT_FIELD *sortorder, uint s_length,
       switch ((sortorder->result_type=sortorder->item->result_type())) {
       case STRING_RESULT:
 	sortorder->length=sortorder->item->max_length;
+        set_if_smaller(sortorder->length, thd->variables.max_sort_length);
 	if (use_strnxfrm((cs=sortorder->item->collation.collation)))
 	{ 
           sortorder->length= cs->coll->strnxfrmlen(cs, sortorder->length);