Bug#36684463 crash in my_convert_internal()

Do not return pointer to stack data, copy the result to 'tmp_value'
which is in some mem_root (on the heap).

Change-Id: I909e1faa6d175074f2ff925cce2d046e5f8e3a16
(cherry picked from commit 6d49e032d2fda8ebf5bb5033b3335a8b44831d0d)

Author: Tor Didriksen

sql/item_xmlfunc.cc

@@ -2529,13 +2529,14 @@ String *Item_func_xml_update::val_str(String *str) {
 
   const MY_XML_NODE *node = &pxml.at(nodeset.at(0).num);
 
-  if (!node->level) {
+  if (node->level == 0) {
     /*
       Root element, without NameTest:
       UpdateXML(xml, '/', 'replacement');
       Just return the replacement string.
     */
-    return rep;
+    tmp_value.copy(*rep);
+    return &tmp_value;
   }
 
   tmp_value.length(0);