Bug#27898 UPDATEXML Crashes the Server!

Problem: when replacing the root element, UpdateXML
erroneously tried to mix old XML content with the
replacement string, which led to crash.
Fix: don't use the old XML content in these cases,
just return the replacement string.

mysql-test/r/xml.result

@@ -547,6 +547,13 @@ UpdateXML(@xml, '/a/b/@bb2', '')
 select UpdateXML(@xml, '/a/b/@bb2', 'bb3="bb3"');
 UpdateXML(@xml, '/a/b/@bb2', 'bb3="bb3"')
 <a aa1="aa1" aa2="aa2"><b bb1="bb1" bb3="bb3">bb</b></a>
+select updatexml('<div><div><span>1</span><span>2</span></div></div>',
+'/','<tr><td>1</td><td>2</td></tr>') as upd1;
+upd1
+<tr><td>1</td><td>2</td></tr>
+select updatexml('', '/', '') as upd2;
+upd2
+
 SET @xml= '<order><clerk>lesser wombat</clerk></order>';
 select extractvalue(@xml,'order/clerk');
 extractvalue(@xml,'order/clerk')

mysql-test/t/xml.test

@@ -231,6 +231,13 @@ select UpdateXML(@xml, '/a/b/@bb1', 'bb3="bb3"');
 select UpdateXML(@xml, '/a/b/@bb2', '');
 select UpdateXML(@xml, '/a/b/@bb2', 'bb3="bb3"');
 
+#
+# Bug#27898 UPDATEXML Crashes the Server!
+#
+select updatexml('<div><div><span>1</span><span>2</span></div></div>',
+                 '/','<tr><td>1</td><td>2</td></tr>') as upd1;
+select updatexml('', '/', '') as upd2;
+
 #
 #  Bug#16234 XML: Crash if ExtractValue()
 #

sql/item_xmlfunc.cc

@@ -2768,6 +2768,16 @@ String *Item_func_xml_update::val_str(String *str)
 
   nodebeg+= fltbeg->num;
 
+  if (!nodebeg->level)
+  {
+    /*
+      Root element, without NameTest:
+      UpdateXML(xml, '/', 'replacement');
+      Just return the replacement string.
+    */
+    return rep;
+  }
+
   tmp_value.length(0);
   tmp_value.set_charset(collation.collation);
   uint offs= nodebeg->type == MY_XML_NODE_TAG ? 1 : 0;