Fix use after free on pg_close() of default connection

nikic · nikic · commit b55715d61a90 · 2019-04-10T10:38:24.000+02:00
diff --git a/ext/pgsql/pgsql.c b/ext/pgsql/pgsql.c
@@ -90,7 +90,7 @@
 #define PQ_SETNONBLOCKING(pg_link, flag) 0
 #endif
 
-#define CHECK_DEFAULT_LINK(x) if ((x) == NULL) { php_error_docref(NULL, E_WARNING, "No PostgreSQL link opened yet"); }
+#define CHECK_DEFAULT_LINK(x) if ((x) == NULL) { php_error_docref(NULL, E_WARNING, "No PostgreSQL link opened yet"); RETURN_FALSE; }
 #define FETCH_DEFAULT_LINK()  PGG(default_link)
 
 #ifndef HAVE_PQFREEMEM
@@ -1559,13 +1559,15 @@ PHP_FUNCTION(pg_close)
 		return;
 	}
 
-	if (pgsql_link) {
-		link = Z_RES_P(pgsql_link);
-	} else {
-		link = FETCH_DEFAULT_LINK();
+	if (!pgsql_link) {
+		link = PGG(default_link);
 		CHECK_DEFAULT_LINK(link);
+		zend_list_delete(link);
+		PGG(default_link) = NULL;
+		RETURN_TRUE;
 	}
 
+	link = Z_RES_P(pgsql_link);
 	if (zend_fetch_resource2(link, "PostgreSQL link", le_link, le_plink) == NULL) {
 		RETURN_FALSE;
 	}
diff --git a/ext/pgsql/tests/close_default_link.phpt b/ext/pgsql/tests/close_default_link.phpt
@@ -0,0 +1,15 @@
+--TEST--
+pg_close() default link after connection variable has been dropped
+--SKIPIF--
+<?php include("skipif.inc"); ?>
+--FILE--
+<?php
+include('config.inc');
+
+/* Run me under valgrind */
+$db1 = pg_connect($conn_str);
+unset($db1);
+var_dump(pg_close());
+?>
+--EXPECT--
+bool(true)
