Fix bug lp:993745

This is a backport of the fix for MySQL bug #13723054 in 5.6.

Original comment:
      The crash is caused by arbitrary memory area owerwriting in case of
      BLOB fields during attempt to copy BLOB field key image into record
      buffer(record buffer is too small to get BLOB key part image).
      note:
      QUICK_GROUP_MIN_MAX_SELECT can not work with BLOB fields
      because it uses record buffer as temporary buffer for key values
      however this case is filtered out by covering_keys() check
      in get_best_group_min_max() as BLOBs always require key length
      modificator in the key declaration and if the key has a BLOB
      then it can not be covered key.
      The fix is to use 'max_used_key_length' key length instead of 0.

Analysis:
Spcifically the crash in this bug was a result of the call to key_copy()
that copied the whole key, inlcuding the BLOB field which is not used
for index access. Copying the blob field overwrote memory as far as the
function parameter 'key_info'. As a result the contents of key_info was
all 0, which resulted in a crash when this key_info was accessed few
lines below in key_cmp().

mysql-test/r/func_group_innodb.result

@@ -145,3 +145,16 @@ select count(*), min(7), max(7) from t2m, t1i;
 count(*)	min(7)	max(7)
 0	NULL	NULL
 drop table t1m, t1i, t2m, t2i;
+#
+# Bug#13723054 CRASH WITH MIN/MAX AFTER QUICK_GROUP_MIN_MAX_SELECT::NEXT_MIN
+#
+CREATE TABLE t1(a BLOB, b VARCHAR(255) CHARSET LATIN1, c INT,
+KEY(b, c, a(765))) ENGINE=INNODB;
+INSERT INTO t1(a, b, c) VALUES ('', 'a', 0), ('', 'a', null), ('', 'a', 0);
+SELECT MIN(c) FROM t1 GROUP BY b;
+MIN(c)
+0
+EXPLAIN SELECT MIN(c) FROM t1 GROUP BY b;
+id	select_type	table	type	possible_keys	key	key_len	ref	rows	Extra
+1	SIMPLE	t1	range	NULL	b	263	NULL	4	Using index for group-by
+DROP TABLE t1;

mysql-test/t/func_group_innodb.test

@@ -83,3 +83,17 @@ explain select count(*), min(7), max(7) from t2m, t1i;
 select count(*), min(7), max(7) from t2m, t1i;
 
 drop table t1m, t1i, t2m, t2i;
+
+
+--echo #
+--echo # Bug#13723054 CRASH WITH MIN/MAX AFTER QUICK_GROUP_MIN_MAX_SELECT::NEXT_MIN
+--echo #
+
+CREATE TABLE t1(a BLOB, b VARCHAR(255) CHARSET LATIN1, c INT,
+                KEY(b, c, a(765))) ENGINE=INNODB;
+INSERT INTO t1(a, b, c) VALUES ('', 'a', 0), ('', 'a', null), ('', 'a', 0);
+
+SELECT MIN(c) FROM t1 GROUP BY b;
+EXPLAIN SELECT MIN(c) FROM t1 GROUP BY b;
+
+DROP TABLE t1;

sql/opt_range.cc

@@ -10827,7 +10827,7 @@ int QUICK_GROUP_MIN_MAX_SELECT::next_min()
     if (min_max_arg_part && min_max_arg_part->field->is_null())
     {
       /* Find the first subsequent record without NULL in the MIN/MAX field. */
-      key_copy(tmp_record, record, index_info, 0);
+      key_copy(tmp_record, record, index_info, max_used_key_length);
       result= file->ha_index_read_map(record, tmp_record,
                                       make_keypart_map(real_key_parts),
                                       HA_READ_AFTER_KEY);