Fix heap use after free

The value may only be used until PGresult was destroyed, thus it needs
to be copied.

diff --git a/ext/pdo_pgsql/pgsql_statement.c b/ext/pdo_pgsql/pgsql_statement.c
index 2d8e3c2fcfa9503c6804b38d4fcc6d5aee45a44e..b401917669473bfe297fe3bbbb47fb2d687ab9fc 100644 (file)
--- a/ext/pdo_pgsql/pgsql_statement.c
+++ b/ext/pdo_pgsql/pgsql_statement.c
@@ -618,11 +618,13 @@ static zend_always_inline char * pdo_pgsql_translate_oid_to_table(Oid oid, PGcon
        }
        efree(querystr);
 
-       if ((table_name = PQgetvalue(tmp_res, 0, 0)) == NULL) {
+       if (1 == PQgetisnull(tmp_res, 0, 0) || (table_name = PQgetvalue(tmp_res, 0, 0)) == NULL) {
                PQclear(tmp_res);
                return 0;
        }
 
+       table_name = estrdup(table_name);
+
        PQclear(tmp_res);
        return table_name;
 }
@@ -652,6 +654,7 @@ static int pgsql_stmt_get_column_meta(pdo_stmt_t *stmt, zend_long colno, zval *r
        table_name = pdo_pgsql_translate_oid_to_table(table_oid, S->H->server);
        if (table_name) {
                add_assoc_string(return_value, "table", table_name);
+               efree(table_name);
        }
 
        switch (S->cols[colno].pgsql_type) {