MDEV-32758: TRIM uses memory after freed

Item_func_trim::trimmed_value() prepares Item_func_trim::tmp_value
to be the return value of Item_func_trim::val_str().

Before the fix, tmp_value would have pointer to the trimmed string, but
didn't own it. This meant that second use of TRIM function could get to
point to temporary buffer, then free the buffer and invalidate the return
value of the first use of TRIM().

Avoid this by copying the return value into Item_func_trim::tmp_value.

Author: bsrikanth-mariadb

mysql-test/main/func_str.result

@@ -5421,4 +5421,13 @@ x
 NULL
 Warnings:
 Warning	1301	Result of hex() was larger than max_allowed_packet (16777216) - truncated
+#
+# MDEV-32758: TRIM uses memory after freed
+#
+CREATE TABLE t0 (i DOUBLE);
+INSERT INTO t0 VALUES (1);
+SELECT LOCATE(a , 'data1-data2', a) AS c FROM (SELECT TRIM(i) AS a FROM t0 )dt;
+c
+5
+DROP TABLE t0;
 # End of 10.6 tests

mysql-test/main/func_str.test

@@ -2455,4 +2455,13 @@ DROP TABLE t1;
 --echo #
 select hex(hex(hex(hex(hex(hex(hex(hex(hex(hex(hex(hex(hex(hex(hex(hex(hex(hex(hex(hex(hex(hex(hex(hex(hex(hex(hex(hex(hex(hex(hex(hex(hex(hex(hex(hex(hex(hex(hex(hex(hex(hex(hex(hex(hex('\\'))))))))))))))))))))))))))))))))))))))))))))) as x;
 
+--echo #
+--echo # MDEV-32758: TRIM uses memory after freed
+--echo #
+CREATE TABLE t0 (i DOUBLE);
+INSERT INTO t0 VALUES (1);
+SELECT LOCATE(a , 'data1-data2', a) AS c FROM (SELECT TRIM(i) AS a FROM t0 )dt;
+
+DROP TABLE t0;
+
 --echo # End of 10.6 tests

sql/item_strfunc.h

@@ -763,7 +763,11 @@ class Item_func_trim :public Item_str_func
     if (length == 0)
       return make_empty_result(&tmp_value);
 
-    tmp_value.set(*res, offset, length);
+    if (tmp_value.copy(res->ptr() + offset, length, res->charset()))
+    {
+      my_error(ER_OUTOFMEMORY, length);
+      return NULL;
+    }
     /*
       Make sure to return correct charset and collation:
       TRIM(0x000000 FROM _ucs2 0x0061)