Bug#13013970 MORE CRASHES IN FIELD_BLOB::GET_KEY_IMAGE

The predicate is re-written from
((`test`.`g1`.`a` = geometryfromtext('')) or ...
to
((`test`.`g1`.`a` = <cache>(geometryfromtext(''))) or ...

The range optimizer calls save_in_field_no_warnings, in order to fetch keys.
save_in_field_no_warnings returns 0 because of the cache wrapper,
and get_mm_leaf() proceeded to call Field_blob::get_key_image() 
which accesses un-initialized data.

mysql-test/r/gis.result

@@ -1091,4 +1091,13 @@ FORCE INDEX(i) WHERE a = date_sub(now(), interval 2808.4 year_month)
 Warnings:
 Warning	1441	Datetime function: datetime field overflow
 DROP TABLE g1;
+#
+# Bug#13013970 MORE CRASHES IN FIELD_BLOB::GET_KEY_IMAGE
+#
+CREATE TABLE g1(a TEXT NOT NULL, KEY(a(255)));
+INSERT INTO g1 VALUES ('a'),('a');
+SELECT 1 FROM g1 WHERE a >= ANY
+(SELECT 1 FROM g1 WHERE a = geomfromtext('') OR a) ;
+1
+DROP TABLE g1;
 End of 5.5 tests

mysql-test/t/gis.test

@@ -838,5 +838,16 @@ FORCE INDEX(i) WHERE a = date_sub(now(), interval 2808.4 year_month)
 
 DROP TABLE g1;
 
+--echo #
+--echo # Bug#13013970 MORE CRASHES IN FIELD_BLOB::GET_KEY_IMAGE
+--echo #
+
+CREATE TABLE g1(a TEXT NOT NULL, KEY(a(255)));
+
+INSERT INTO g1 VALUES ('a'),('a');
+SELECT 1 FROM g1 WHERE a >= ANY
+(SELECT 1 FROM g1 WHERE a = geomfromtext('') OR a) ;
+
+DROP TABLE g1;
 
 --echo End of 5.5 tests

sql/item.cc

@@ -7924,8 +7924,8 @@ my_decimal *Item_cache_str::val_decimal(my_decimal *decimal_val)
 
 int Item_cache_str::save_in_field(Field *field, bool no_conversions)
 {
-  if (!has_value())
-    return 0;
+  if (!value_cached && !cache_value())
+    return -1;                      // Fatal: couldn't cache the value
   int res= Item_cache::save_in_field(field, no_conversions);
   return (is_varbinary && field->type() == MYSQL_TYPE_STRING &&
           value->length() < field->field_length) ? 1 : res;