Fix for bug #41868: crash or memory overrun with concat + upper,

date_format functions

String::realloc() did not check whether the existing string data fits in
the newly allocated buffer for cases when reallocating a String object
with external buffer (i.e.alloced == FALSE).  This could lead to memory
overruns in some cases.

client/sql_string.cc:
  Fixed String::realloc() to check whether the existing string data fits
  in the newly allocated buffer for cases when reallocating a String
  object with external buffer.
mysql-test/r/func_str.result:
  Added a test case for bug #41868.
mysql-test/t/func_str.test:
  Added a test case for bug #41868.
sql/sql_class.cc:
  After each call to Item::send() in select_send::send_data() reset
  buffer to its original state to reduce unnecessary malloc() calls. See
  comments for bug #41868 for detailed analysis.
sql/sql_string.cc:
  Fixed String::realloc() to check whether the existing string data fits
  in the newly allocated buffer for cases when reallocating a String
  object with external buffer.

client/sql_string.cc

@@ -71,25 +71,22 @@ bool String::realloc(uint32 alloc_length)
     char *new_ptr;
     if (alloced)
     {
-      if ((new_ptr= (char*) my_realloc(Ptr,len,MYF(MY_WME))))
-      {
-	Ptr=new_ptr;
-	Alloced_length=len;
-      }
-      else
-	return TRUE;				// Signal error
+      if (!(new_ptr= (char*) my_realloc(Ptr,len,MYF(MY_WME))))
+        return TRUE;				// Signal error
     }
     else if ((new_ptr= (char*) my_malloc(len,MYF(MY_WME))))
     {
+      if (str_length > len - 1)
+        str_length= 0;
       if (str_length)				// Avoid bugs in memcpy on AIX
 	memcpy(new_ptr,Ptr,str_length);
       new_ptr[str_length]=0;
-      Ptr=new_ptr;
-      Alloced_length=len;
       alloced=1;
     }
     else
       return TRUE;			// Signal error
+    Ptr= new_ptr;
+    Alloced_length= len;
   }
   Ptr[alloc_length]=0;			// This make other funcs shorter
   return FALSE;