MDEV-25754 ASAN: stack-buffer-overflow in Field_newdate::val_str()

Problem was that Field_newdate() didn't allocate a string big enough for
the result.

mysql-test/main/strings.result

@@ -17,3 +17,13 @@ SELECT length(ENCRYPT(a)) AS f, COUNT(*) FROM t1 GROUP BY f;
 f	COUNT(*)
 13	2
 DROP TABLE t1;
+#
+# MDEV-25754 ASAN: stack-buffer-overflow in Field_newdate::val_str
+#
+CREATE TABLE t1 (d DATE);
+INSERT INTO t1 VALUES ('1920-03-02'),('2020-12-01');
+SELECT LENGTH(CONCAT_WS(d, ' ')) FROM t1;
+LENGTH(CONCAT_WS(d, ' '))
+1
+1
+DROP TABLE t1;

mysql-test/main/strings.test

@@ -24,3 +24,12 @@ CREATE TABLE t1 (a DECIMAL(15,11) ZEROFILL);
 INSERT INTO t1 (a) VALUES (0.1),(0.2);
 SELECT length(ENCRYPT(a)) AS f, COUNT(*) FROM t1 GROUP BY f;
 DROP TABLE t1;
+
+--echo #
+--echo # MDEV-25754 ASAN: stack-buffer-overflow in Field_newdate::val_str
+--echo #
+
+CREATE TABLE t1 (d DATE);
+INSERT INTO t1 VALUES ('1920-03-02'),('2020-12-01');
+SELECT LENGTH(CONCAT_WS(d, ' ')) FROM t1;
+DROP TABLE t1;

sql/field.cc

@@ -6751,7 +6751,7 @@ String *Field_newdate::val_str(String *val_buffer,
 			       String *val_ptr __attribute__((unused)))
 {
   DBUG_ASSERT(marked_for_read());
-  val_buffer->alloc(field_length);
+  val_buffer->alloc(field_length+1);
   val_buffer->length(field_length);
   uint32 tmp=(uint32) uint3korr(ptr);
   int part;
@@ -6923,7 +6923,7 @@ longlong Field_datetime0::val_int(void)
 String *Field_datetime0::val_str(String *val_buffer,
                                  String *val_ptr __attribute__((unused)))
 {
-  val_buffer->alloc(field_length);
+  val_buffer->alloc(field_length+1);
   val_buffer->length(field_length);
 
   DBUG_ASSERT(marked_for_read());