MySQL 5.5.36 has a fix for Bug#12368495 CRASH AND/OR VALGRIND ERRORS WITH REVERSE FUNCTION AND CHARSET CONVERTS
As usual, there is no test case.
The patch adds an assert to Item_func_reverse::val_str() (which, apparently, was the reason of a crash in the first place) and changes Item_func_trim::val_str() to check (and re-check, inside a trimming loop!) multi-byte characters of the prefix.
It is very suspicious, though, that the patch fixes only Item_func_trim::val_str(), but not the completely identical Item_func_ltrim::val_str().
Analysis revealed that:
1. the bug is not completely fixed, using TRIM(LEADING ...) instead of TRIM(BOTH ...) hits the unfixed Item_func_ltrim::val_str() and the bug reappears.
2. Item_func_reverse::val_str() fails, because it relies on my_ismbchar(), but for ucs2 and utf32 this returns a value outside of the string boundary, it's a bug in ismbchar(), not in REVERSE(). This must be fixed.
3. TRIM returns invalid string because it doesn't set the charset of the returned string correctly. This must be fixed.
4. upstream patch should be removed.
5. it's interesting to see whether one can hit this issue in REVERSE() without using TRIM().
6. additionally we found an inconsistency in how item_sep is used in my_coll_agg_error() and agg_item_collations(). This should be resolved too.