Skip to content

Commit f6ba875

Browse files
committed
Fix bug GH-8058 - mysqlnd segfault when prepare fails
1 parent 82b8830 commit f6ba875

File tree

2 files changed

+40
-1
lines changed

2 files changed

+40
-1
lines changed

ext/mysqli/tests/gh8058.phpt

Lines changed: 39 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,39 @@
1+
--TEST--
2+
GH-8058 (NULL pointer dereference in mysqlnd package (#81706))
3+
--SKIPIF--
4+
<?php
5+
require_once 'skipif.inc';
6+
require_once 'skipifconnectfailure.inc';
7+
?>
8+
--FILE--
9+
<?php
10+
require_once "connect.inc";
11+
12+
mysqli_report(MYSQLI_REPORT_OFF);
13+
$mysqli = new my_mysqli($host, $user, $passwd, $db, $port, $socket);
14+
15+
// There should be no segfault due to NULL deref
16+
$stmt = $mysqli->prepare("select 1,2,3");
17+
$stmt->bind_result($a,$a,$a);
18+
$stmt->prepare("");
19+
$stmt->prepare("select ".str_repeat("'A',", 0x1201)."1");
20+
unset($stmt); // trigger dtor
21+
22+
// There should be no memory leak
23+
$stmt = $mysqli->prepare("select 1,2,3");
24+
$stmt->bind_result($a,$a,$a);
25+
$stmt->prepare("");
26+
$stmt->prepare("select 1");
27+
unset($stmt); // trigger dtor
28+
29+
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
30+
$stmt = $mysqli->prepare("select 1,2,3");
31+
try {
32+
// We expect an exception to be thrown
33+
$stmt->prepare("");
34+
} catch (mysqli_sql_exception $e) {
35+
var_dump($e->getMessage());
36+
}
37+
?>
38+
--EXPECT--
39+
string(15) "Query was empty"

ext/mysqlnd/mysqlnd_ps.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -502,9 +502,9 @@ MYSQLND_METHOD(mysqlnd_stmt, prepare)(MYSQLND_STMT * const s, const char * const
502502

503503
fail:
504504
if (stmt_to_prepare != stmt && s_to_prepare) {
505+
COPY_CLIENT_ERROR(stmt->error_info, *stmt_to_prepare->error_info);
505506
s_to_prepare->m->dtor(s_to_prepare, TRUE);
506507
}
507-
stmt->state = MYSQLND_STMT_INITTED;
508508

509509
DBG_INF("FAIL");
510510
DBG_RETURN(FAIL);

0 commit comments

Comments
 (0)