MDEV-28130 MariaDB SEGV issue at tree_search_next

In case of error last_pos points to null_element and there is no any
other children. tree_search_next() walks the children from last_pos
until the leaves (null_element) ignoring the case the topmost parent
in search state is the leaf itself.

mysql-test/suite/heap/heap.result

@@ -884,3 +884,15 @@ CREATE TABLE t1 (a VARCHAR(128), b VARCHAR(32), KEY(a) USING BTREE, KEY(b) USING
 INSERT INTO t1 VALUES ('foo',NULL),('m','b'),(6,'j'),('bar','qux'),(NULL,NULL);
 DELETE FROM t1 WHERE a <=> 'm' OR b <=> NULL;
 DROP TABLE t1;
+#
+# MDEV-28130 MariaDB SEGV issue at tree_search_next
+#
+CREATE TABLE v(t1 INT, pk INT, KEY(t1), KEY pk using btree (pk), KEY v using btree(t1, pk)) engine=memory;
+HANDLER v OPEN;
+HANDLER v READ t1=(2) limit 3;
+t1	pk
+HANDLER v READ pk PREV;
+t1	pk
+HANDLER v READ pk PREV;
+t1	pk
+drop table v;

mysql-test/suite/heap/heap.test

@@ -668,3 +668,13 @@ INSERT INTO t1 VALUES ('foo',NULL),('m','b'),(6,'j'),('bar','qux'),(NULL,NULL);
 DELETE FROM t1 WHERE a <=> 'm' OR b <=> NULL;
 # Cleanup
 DROP TABLE t1;
+
+--echo #
+--echo # MDEV-28130 MariaDB SEGV issue at tree_search_next
+--echo #
+CREATE TABLE v(t1 INT, pk INT, KEY(t1), KEY pk using btree (pk), KEY v using btree(t1, pk)) engine=memory;
+HANDLER v OPEN;
+HANDLER v READ t1=(2) limit 3;
+HANDLER v READ pk PREV;
+HANDLER v READ pk PREV;
+drop table v;

mysys/tree.c

@@ -494,6 +494,9 @@ void *tree_search_next(TREE *tree, TREE_ELEMENT ***last_pos, int l_offs,
                        int r_offs)
 {
   TREE_ELEMENT *x= **last_pos;
+
+  if (x == &null_element)
+    return NULL;
   
   if (ELEMENT_CHILD(x, r_offs) != &null_element)
   {