Fix bug GH-8058 - mysqlnd segfault when prepare fails

Author: kamil-tekiela

ext/mysqli/tests/gh8058.phpt

@@ -0,0 +1,39 @@
+--TEST--
+GH-8058 (NULL pointer dereference in mysqlnd package (#81706))
+--SKIPIF--
+<?php
+require_once 'skipif.inc';
+require_once 'skipifconnectfailure.inc';
+?>
+--FILE--
+<?php
+require_once "connect.inc";
+
+mysqli_report(MYSQLI_REPORT_OFF);
+$mysqli = new my_mysqli($host, $user, $passwd, $db, $port, $socket);
+
+// There should be no segfault due to NULL deref
+$stmt = $mysqli->prepare("select 1,2,3");
+$stmt->bind_result($a,$a,$a);
+$stmt->prepare("");
+$stmt->prepare("select ".str_repeat("'A',", 0x1201)."1");
+unset($stmt); // trigger dtor
+
+// There should be no memory leak
+$stmt = $mysqli->prepare("select 1,2,3");
+$stmt->bind_result($a,$a,$a);
+$stmt->prepare("");
+$stmt->prepare("select 1");
+unset($stmt); // trigger dtor
+
+mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
+$stmt = $mysqli->prepare("select 1,2,3");
+try {
+    // We expect an exception to be thrown
+    $stmt->prepare("");
+} catch (mysqli_sql_exception $e) {
+    var_dump($e->getMessage());
+}
+?>
+--EXPECT--
+string(15) "Query was empty"

ext/mysqlnd/mysqlnd_ps.c

@@ -502,9 +502,9 @@ MYSQLND_METHOD(mysqlnd_stmt, prepare)(MYSQLND_STMT * const s, const char * const
 
 fail:
 	if (stmt_to_prepare != stmt && s_to_prepare) {
+		COPY_CLIENT_ERROR(stmt->error_info, *stmt_to_prepare->error_info);
 		s_to_prepare->m->dtor(s_to_prepare, TRUE);
 	}
-	stmt->state = MYSQLND_STMT_INITTED;
 
 	DBG_INF("FAIL");
 	DBG_RETURN(FAIL);