Fixed bug #70949 (SQL Result Sets With NULL Can Cause Fatal Memory Errors)

laruence · laruence · commit a347b0be48d8 · 2015-11-27T15:52:55.000+08:00
diff --git a/NEWS b/NEWS
@@ -20,6 +20,8 @@ PHP                                                                        NEWS
     from an array. (Bob)
 
 - Mysqlnd:
+  . Fixed bug #70949 (SQL Result Sets With NULL Can Cause Fatal Memory Errors).
+    (Laruence)
   . Fixed bug #68077 (LOAD DATA LOCAL INFILE / open_basedir restriction).
     (Laruence)
 
diff --git a/ext/mysqli/tests/bug70949.phpt b/ext/mysqli/tests/bug70949.phpt
@@ -0,0 +1,62 @@
+--TEST--
+Bug #70949 (SQL Result Sets With NULL Can Cause Fatal Memory Errors)
+--SKIPIF--
+<?php
+require_once('skipif.inc');
+require_once('skipifconnectfailure.inc');
+require_once("connect.inc");
+if (!$IS_MYSQLND) {
+	die("skip mysqlnd only test");
+}
+?>
+--FILE--
+<?php
+require_once("connect.inc");
+$mysql = new my_mysqli($host, $user, $passwd, $db, $port, $socket);
+
+$mysql->query("DROP TABLE IF EXISTS bug70949");
+$mysql->query("CREATE TABLE bug70949(name varchar(255))");
+$mysql->query("INSERT INTO bug70949 VALUES ('dummy'),(NULL),('foo'),('bar')");
+
+$sql = "select * from bug70949";
+
+if ($stmt = $mysql->prepare($sql))
+{	
+	$stmt->attr_set(MYSQLI_STMT_ATTR_CURSOR_TYPE, MYSQLI_CURSOR_TYPE_READ_ONLY);
+
+	if ($stmt->bind_result($name)) {
+		{
+			if ($stmt->execute())
+			{
+				while ($stmt->fetch())
+				{	
+					var_dump($name);
+				}
+			}
+		}
+
+		$stmt->free_result();
+		$stmt->close();
+	}
+
+
+	$mysql->close();
+}
+
+?>
+--CLEAN--
+<?php
+require_once("connect.inc");
+if (!$link = my_mysqli_connect($host, $user, $passwd, $db, $port, $socket))
+   printf("[c001] [%d] %s\n", mysqli_connect_errno(), mysqli_connect_error());
+
+if (!mysqli_query($link, "DROP TABLE IF EXISTS bug70949"))
+	printf("[c002] Cannot drop table, [%d] %s\n", mysqli_errno($link), mysqli_error($link));
+
+mysqli_close($link);
+?>
+--EXPECT--
+string(5) "dummy"
+NULL
+string(3) "foo"
+string(3) "bar"
diff --git a/ext/mysqlnd/mysqlnd_ps.c b/ext/mysqlnd/mysqlnd_ps.c
@@ -1115,6 +1115,8 @@ mysqlnd_fetch_stmt_row_cursor(MYSQLND_RES * result, void * param, unsigned int f
 						ZVAL_COPY_VALUE(result, data);
 						/* copied data, thus also the ownership. Thus null data */
 						ZVAL_NULL(data);
+					} else {
+						ZVAL_NULL(result);
 					}
 				}
 			}

Original file line number	Diff line number	Diff line change
`@@ -1115,6 +1115,8 @@ mysqlnd_fetch_stmt_row_cursor(MYSQLND_RES * result, void * param, unsigned int f`
`1115`	`1115`	`ZVAL_COPY_VALUE(result, data);`
`1116`	`1116`	`/* copied data, thus also the ownership. Thus null data */`
`1117`	`1117`	`ZVAL_NULL(data);`
	`1118`	`+ } else {`
	`1119`	`+ ZVAL_NULL(result);`
`1118`	`1120`	`}`
`1119`	`1121`	`}`
`1120`	`1122`	`}`