Fixed bug #35797 (segfault on PDOStatement::execute() with

zend.ze1_compatibility_mode = On).

diff --git a/NEWS b/NEWS
index 93ca26b0bcb78802d5314ad4fb08e2dbf3bd1bc8..41e74c1cc06b8ef7ed38cfa4af958d77ea5b951e 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -11,6 +11,8 @@ PHP                                                                        NEWS
   the callback). (Tony)
 - Fixed bug #35817 (unpack() does not decode odd number of hexadecimal values).
   (Ilia)
+- Fixed bug #35797 (segfault on PDOStatement::execute() with 
+  zend.ze1_compatibility_mode = On). (Tony, Ilia)
 - Fixed bug #35781 (stream_filter_append() can cause segfault). (Tony)
 - Fixed bug #35759 (mysqli_stmt_bind_result() makes huge allocation when
   column empty). (Andrey)

diff --git a/ext/pdo/pdo_stmt.c b/ext/pdo/pdo_stmt.c
index e410964dcadd6ed499b1e03e30722811bbc6ae76..f2d9b4d139013630b383707c7e02ab4de842c864 100755 (executable)
--- a/ext/pdo/pdo_stmt.c
+++ b/ext/pdo/pdo_stmt.c
@@ -2060,6 +2060,34 @@ static int dbstmt_compare(zval *object1, zval *object2 TSRMLS_DC)
        return -1;
 }
 
+static zend_object_value dbstmt_clone_obj(zval *zobject TSRMLS_DC)
+{
+       zend_object_value retval;
+       zval *tmp;
+       pdo_stmt_t *stmt;
+       pdo_stmt_t *old_stmt;
+       zend_object_handle handle = Z_OBJ_HANDLE_P(zobject);
+
+       stmt = ecalloc(1, sizeof(*stmt));
+       stmt->ce = Z_OBJCE_P(zobject);
+       stmt->refcount = 1;
+       ALLOC_HASHTABLE(stmt->properties);
+       zend_hash_init(stmt->properties, 0, NULL, ZVAL_PTR_DTOR, 0);
+       zend_hash_copy(stmt->properties, &stmt->ce->default_properties, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *));
+
+       old_stmt = (pdo_stmt_t *)zend_object_store_get_object(zobject TSRMLS_CC);
+       
+       retval.handle = zend_objects_store_put(stmt, (zend_objects_store_dtor_t)zend_objects_destroy_object, (zend_objects_free_object_storage_t)pdo_dbstmt_free_storage, (zend_objects_store_clone_t)dbstmt_clone_obj TSRMLS_CC);
+       retval.handlers = Z_OBJ_HT_P(zobject);
+
+       zend_objects_clone_members((zend_object *)stmt, retval, (zend_object *)old_stmt, handle TSRMLS_CC);
+       
+       zend_objects_store_add_ref(&old_stmt->database_object_handle TSRMLS_CC);
+       stmt->database_object_handle = old_stmt->database_object_handle;
+                       
+       return retval;
+}
+
 zend_object_handlers pdo_dbstmt_object_handlers;
 
 void pdo_stmt_init(TSRMLS_D)
@@ -2078,6 +2106,7 @@ void pdo_stmt_init(TSRMLS_D)
        pdo_dbstmt_object_handlers.unset_property = dbstmt_prop_delete;
        pdo_dbstmt_object_handlers.get_method = dbstmt_method_get;
        pdo_dbstmt_object_handlers.compare_objects = dbstmt_compare;
+       pdo_dbstmt_object_handlers.clone_obj = dbstmt_clone_obj;
 
        INIT_CLASS_ENTRY(ce, "PDORow", pdo_row_functions);
        pdo_row_ce = zend_register_internal_class(&ce TSRMLS_CC);
@@ -2172,7 +2201,7 @@ zend_object_value pdo_dbstmt_new(zend_class_entry *ce TSRMLS_DC)
        zend_hash_init(stmt->properties, 0, NULL, ZVAL_PTR_DTOR, 0);
        zend_hash_copy(stmt->properties, &ce->default_properties, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *));
 
-       retval.handle = zend_objects_store_put(stmt, (zend_objects_store_dtor_t)zend_objects_destroy_object, (zend_objects_free_object_storage_t)pdo_dbstmt_free_storage, NULL TSRMLS_CC);
+       retval.handle = zend_objects_store_put(stmt, (zend_objects_store_dtor_t)zend_objects_destroy_object, (zend_objects_free_object_storage_t)pdo_dbstmt_free_storage, (zend_objects_store_clone_t)dbstmt_clone_obj TSRMLS_CC);
        retval.handlers = &pdo_dbstmt_object_handlers;
 
        return retval;