Fix for bug #41868: crash or memory overrun with concat + upper,

date_format functions

String::realloc() did not check whether the existing string data fits in
the newly allocated buffer for cases when reallocating a String object
with external buffer (i.e.alloced == FALSE).  This could lead to memory
overruns in some cases.

client/sql_string.cc:
  Fixed String::realloc() to check whether the existing string data fits
  in the newly allocated buffer for cases when reallocating a String
  object with external buffer.
mysql-test/r/func_str.result:
  Added a test case for bug #41868.
mysql-test/t/func_str.test:
  Added a test case for bug #41868.
sql/sql_class.cc:
  After each call to Item::send() in select_send::send_data() reset
  buffer to its original state to reduce unnecessary malloc() calls. See
  comments for bug #41868 for detailed analysis.
sql/sql_string.cc:
  Fixed String::realloc() to check whether the existing string data fits
  in the newly allocated buffer for cases when reallocating a String
  object with external buffer.

mysql-test/r/func_str.result

@@ -2181,4 +2181,10 @@ def					format(a, 2)	253	20	4	Y	0	2	8
 format(a, 2)
 1.33
 drop table t1;
+CREATE TABLE t1 (c DATE, aa VARCHAR(30));
+INSERT INTO t1 VALUES ('2008-12-31','aaaaaa');
+SELECT DATE_FORMAT(c, GET_FORMAT(DATE, 'eur')) h, CONCAT(UPPER(aa),', ', aa) i FROM t1;
+h	i
+31.12.2008	AAAAAA, aaaaaa
+DROP TABLE t1;
 End of 5.0 tests

mysql-test/t/func_str.test

@@ -1159,4 +1159,13 @@ select format(a, 2) from t1;
 --disable_metadata
 drop table t1;
 
+#
+# Bug #41868: crash or memory overrun with concat + upper, date_format functions
+#
+
+CREATE TABLE t1 (c DATE, aa VARCHAR(30));
+INSERT INTO t1 VALUES ('2008-12-31','aaaaaa');
+SELECT DATE_FORMAT(c, GET_FORMAT(DATE, 'eur')) h, CONCAT(UPPER(aa),', ', aa) i FROM t1;
+DROP TABLE t1;
+
 --echo End of 5.0 tests