Bug#41212 crash after race condition between merge table and table_cache evictions

On 64-bit Windows: querying MERGE table with keys may cause
server crash.The problem is generic and may affect any statement
accessing MERGE table cardinality values.
When MERGE engine was copying cardinality statistics, it was
using incorrect size of element in cardinality statistics array
(sizeof(ptr)==8 instead of sizeof(ulong)==4), causing access
of memory beyond of the allocated bounds.

sql/ha_myisam.cc

@@ -1684,7 +1684,7 @@ int ha_myisam::info(uint flag)
     if (share->key_parts)
       memcpy((char*) table->key_info[0].rec_per_key,
 	     (char*) misam_info.rec_per_key,
-	     sizeof(table->key_info[0].rec_per_key)*share->key_parts);
+             sizeof(table->key_info[0].rec_per_key[0])*share->key_parts);
     raid_type= misam_info.raid_type;
     raid_chunks= misam_info.raid_chunks;
     raid_chunksize= misam_info.raid_chunksize;

sql/ha_myisammrg.cc

@@ -402,11 +402,11 @@ int ha_myisammrg::info(uint flag)
         with such a number, it'll be an error later anyway.
       */
       bzero((char*) table->key_info[0].rec_per_key,
-            sizeof(table->key_info[0].rec_per_key) * table->s->key_parts);
+            sizeof(table->key_info[0].rec_per_key[0]) * table->s->key_parts);
 #endif
       memcpy((char*) table->key_info[0].rec_per_key,
 	     (char*) mrg_info.rec_per_key,
-             sizeof(table->key_info[0].rec_per_key) *
+             sizeof(table->key_info[0].rec_per_key[0]) *
              min(file->keys, table->s->key_parts));
     }
   }

sql/table.cc

@@ -233,7 +233,7 @@ int openfrm(THD *thd, const char *name, const char *alias, uint db_stat,
 
   ulong *rec_per_key;
   if (!(rec_per_key= (ulong*) alloc_root(&outparam->mem_root,
-					 sizeof(ulong*)*key_parts)))
+                                         sizeof(ulong)*key_parts)))
     goto err;
 
   for (i=0 ; i < keys ; i++, keyinfo++)