MariaDB crash triggered by nested recursive CTE with GIS geohash and window expression

~~~sql
SELECT LOWER ( ( WITH RECURSIVE x ( x ) AS ( WITH RECURSIVE x ( x ) AS ( SELECT 1 UNION SELECT x + 1 FROM ( SELECT * FROM ( SELECT 1 AS x UNION SELECT x FROM ( WITH RECURSIVE x ( x ) AS ( SELECT 1 UNION SELECT x + 1 FROM x ) SELECT * FROM x ) AS x UNION SELECT 3 UNION SELECT 4 UNION SELECT 5 ) AS x ) AS x ) SELECT * FROM x WHERE ( 3 , 33 ) <= ( x , '31' ) ) SELECT x FROM ( SELECT x FROM ( SELECT * FROM ( SELECT 1 AS x UNION SELECT 2 UNION SELECT 3 ) AS x ) AS x ) AS x WHERE x IN ( SELECT x FROM x WHERE x IN ( SELECT * FROM x GROUP BY ( SELECT x ORDER BY x IN ( COALESCE ( x ) , x ) ) HAVING ST_BUFFER ( ST_GEOMFROMTEXT ( 'MULTIPOINT(0 0,0 5,5 5,5 0,0 0)' ) , 5 ) ) ) ORDER BY x LIMIT 1 ) ) ; SELECT x , tan ( radians ( ( SELECT x GROUP BY x HAVING x = 'hello' UNION SELECT 4 ) ) ) , CASE WHEN tan ( radians ( x ) ) IN ( - x , -1 , 0 , 1 , x ) THEN TRUE ELSE ROW_NUMBER ( ) OVER ( ORDER BY AVG ( 0 ) ) END AS x , 1 % tan ( ST_LatFromGeoHash ( x ) ) , CASE WHEN 1 / tan ( radians ( x ) ) IN ( - x , -1 , 0 , 1 , x ) THEN TRUE ELSE FALSE END AS x FROM ( SELECT 0 AS x UNION SELECT 45 UNION SELECT 90 UNION SELECT 135 UNION SELECT CAST( 1 AS DECIMAL ) UNION SELECT 225 UNION SELECT 270 UNION SELECT 315 UNION SELECT 360 ) AS x ;
~~~

1. 1. Expected result
      The server should either execute the query or return a normal SQL error without crashing.

1. 1. Actual result
      The fuzzing run observed a server crash. The deduplicated stack signature is:
      ~~~
      stack:Z17setup_copy_fieldsP3THDP15TMP_TABLE_PARAM20Bounds_checked_arrayIP4ItemER4ListIS4_ES9_jS9|_ZN4JOIN21make_aggr_tables_infoEv|_ZN4JOIN15optimize_stage2Ev|_ZN4JOIN14optimize_innerEv|_ZN4JOIN8optimizeEv|_ZN13st_select_lex31optimize_unflattened_subqueriesEb|_Z12mysql_selectP3THDP10TABLE_LISTR4ListI4ItemEPS4_jP8st_orderS9_S7_S9_yP13select_resultP18st_select_lex_unitP13st_select_lex|_Z13handle_selectP3THDP3LEXP13select_resulty
      ~~~