Bug#57257 Replace(ExtractValue(...)) causes MySQL crash

Bug#57820 extractvalue crashes

Problem: ExtractValue and Replace crashed in some cases
due to invalid handling of empty and NULL arguments.

Per file comments:

  @mysql-test/r/ctype_ujis.result
  @mysql-test/r/xml.result
  @mysql-test/t/ctype_ujis.test
  @mysql-test/t/xml.test
  Adding tests

  @sql/item_strfunc.cc
  Make sure Item_func_replace::val_str safely handles empty strings.

  @sql/item_xmlfunc.cc
  set null_value if nodeset_func returned NULL,
  which is possible when the second argument is an
  unset user variable.

1 files changed, 7 insertions, 1 deletions

diff --git a/sql/item_strfunc.cc b/sql/item_strfunc.cc
index 8fda281bd9e..fd5c47d25cb 100644
--- a/sql/item_strfunc.cc
+++ b/sql/item_strfunc.cc
@@ -904,9 +904,15 @@ String *Item_func_replace::val_str(String *str)
     search=res2->ptr();
     search_end=search+from_length;
 redo:
+    DBUG_ASSERT(res->ptr() || !offset);
     ptr=res->ptr()+offset;
     strend=res->ptr()+res->length();
-    end=strend-from_length+1;
+    /*
+      In some cases val_str() can return empty string
+      with ptr() == NULL and length() == 0.
+      Let's check strend to avoid overflow.
+    */
+    end= strend ? strend - from_length + 1 : NULL;
     while (ptr < end)
     {
         if (*ptr == *search)