Merge branch 'PHP-8.3'

cmb69 · cmb69 · commit 57f02e2aba96 · 2024-08-20T15:45:42.000+02:00
* PHP-8.3: Fix GH-15432: Heap corruption when querying a vector
diff --git a/NEWS b/NEWS
@@ -13,6 +13,10 @@ PHP                                                                        NEWS
   . Fixed bug GH-15456 (Crash in get_class_vars() on virtual properties).
     (ilutov)
 
+- MySQLnd:
+  . Fixed bug GH-15432 (Heap corruption when querying a vector). (cmb,
+    Kamil Tekiela)
+
 15 Aug 2024, PHP 8.4.0beta3
 
 - Core:
diff --git a/ext/mysqli/tests/gh15432.phpt b/ext/mysqli/tests/gh15432.phpt
@@ -0,0 +1,24 @@
+--TEST--
+Bug GH-15432 (Heap corruption when querying a vector)
+--EXTENSIONS--
+mysqli
+--SKIPIF--
+<?php
+require 'connect.inc';
+$link = @my_mysqli_connect($host, $user, $passwd, $db, $port, $socket);
+if ($link === false) {
+    die(sprintf("skip Can't connect to MySQL Server - [%d] %s", mysqli_connect_errno(), mysqli_connect_error()));
+}
+if ($link->server_version < 90000 || $link->server_version >= 10_00_00) {
+    die("skip MySQL 9.0.0+ needed");
+}
+?>
+--FILE--
+<?php
+require 'connect.inc';
+$link = my_mysqli_connect($host, $user, $passwd, $db, $port, $socket);
+var_dump($link->query('SELECT STRING_TO_VECTOR("[1.05, -17.8, 32]")'));
+?>
+--EXPECTF--
+Warning: mysqli::query(): Unknown type 242 sent by the server. Please send a report to the developers in %s on line %d
+bool(false)
diff --git a/ext/mysqlnd/mysqlnd_result.c b/ext/mysqlnd/mysqlnd_result.c
@@ -300,7 +300,7 @@ mysqlnd_query_read_result_set_header(MYSQLND_CONN_DATA * conn, MYSQLND_STMT * s)
 				if (FAIL == (ret = result->m.read_result_metadata(result, conn))) {
 					/* For PS, we leave them in Prepared state */
 					if (!stmt && conn->current_result) {
-						mnd_efree(conn->current_result);
+						conn->current_result->m.free_result(conn->current_result, TRUE);
 						conn->current_result = NULL;
 					}
 					DBG_ERR("Error occurred while reading metadata");

Original file line number	Diff line number	Diff line change
`@@ -300,7 +300,7 @@ mysqlnd_query_read_result_set_header(MYSQLND_CONN_DATA * conn, MYSQLND_STMT * s)`
`300`	`300`	`if (FAIL == (ret = result->m.read_result_metadata(result, conn))) {`
`301`	`301`	`/* For PS, we leave them in Prepared state */`
`302`	`302`	`if (!stmt && conn->current_result) {`
`303`		`- mnd_efree(conn->current_result);`
	`303`	`+ conn->current_result->m.free_result(conn->current_result, TRUE);`
`304`	`304`	`conn->current_result = NULL;`
`305`	`305`	`}`
`306`	`306`	`DBG_ERR("Error occurred while reading metadata");`