Fixed Bug #66762 Segfault in mysqli_stmt::bind_result() when link closed

Each new mysqli_stmt now increase the refcount of the link object.
So the link is really destroy after all statements.

Only implemented with libmysqlclient, as mysqlnd already implement
this internally.

So, libmysqlclient and mysqlnd have the same behavior.

diff --git a/ext/mysqli/mysqli.c b/ext/mysqli/mysqli.c
index 4e4ed5b2ab3fa4fd6b2b3af97ee49018ad225926..cbeb18349e421c9ca2656ab072c9b28e18e5aa60 100644 (file)
--- a/ext/mysqli/mysqli.c
+++ b/ext/mysqli/mysqli.c
@@ -176,8 +176,11 @@ void php_clear_stmt_bind(MY_STMT *stmt TSRMLS_DC)
        php_free_stmt_bind_buffer(stmt->param, FETCH_SIMPLE);
        /* Clean output bind */
        php_free_stmt_bind_buffer(stmt->result, FETCH_RESULT);
-#endif
 
+       if (stmt->link_handle) {
+           zend_objects_store_del_ref_by_handle(stmt->link_handle TSRMLS_CC);
+       }
+#endif
        if (stmt->query) {
                efree(stmt->query);
        }
@@ -1055,6 +1058,10 @@ PHP_FUNCTION(mysqli_stmt_construct)
                efree(stmt);
                RETURN_FALSE;
        }
+#ifndef MYSQLI_USE_MYSQLND
+       stmt->link_handle = Z_OBJ_HANDLE(*mysql_link);
+       zend_objects_store_add_ref_by_handle(stmt->link_handle TSRMLS_CC);
+#endif
 
        mysqli_resource = (MYSQLI_RESOURCE *)ecalloc (1, sizeof(MYSQLI_RESOURCE));
        mysqli_resource->ptr = (void *)stmt;

diff --git a/ext/mysqli/mysqli_api.c b/ext/mysqli/mysqli_api.c
index 1dbff8712b9b97e2ced2700e75b0c0f4c8d00fba..0b28a43ba72e0c741b88356245e17fdf2fa85b08 100644 (file)
--- a/ext/mysqli/mysqli_api.c
+++ b/ext/mysqli/mysqli_api.c
@@ -1840,6 +1840,10 @@ PHP_FUNCTION(mysqli_prepare)
                efree(stmt);
                RETURN_FALSE;
        }
+#ifndef MYSQLI_USE_MYSQLND
+       stmt->link_handle = Z_OBJ_HANDLE(*mysql_link);
+       zend_objects_store_add_ref_by_handle(stmt->link_handle TSRMLS_CC);
+#endif
 
        mysqli_resource = (MYSQLI_RESOURCE *)ecalloc (1, sizeof(MYSQLI_RESOURCE));
        mysqli_resource->ptr = (void *)stmt;
@@ -2368,6 +2372,10 @@ PHP_FUNCTION(mysqli_stmt_init)
                efree(stmt);
                RETURN_FALSE;
        }
+#ifndef MYSQLI_USE_MYSQLND
+       stmt->link_handle = Z_OBJ_HANDLE(*mysql_link);
+       zend_objects_store_add_ref_by_handle(stmt->link_handle TSRMLS_CC);
+#endif
 
        mysqli_resource = (MYSQLI_RESOURCE *)ecalloc (1, sizeof(MYSQLI_RESOURCE));
        mysqli_resource->status = MYSQLI_STATUS_INITIALIZED;

diff --git a/ext/mysqli/php_mysqli_structs.h b/ext/mysqli/php_mysqli_structs.h
index d65259270775e7bc159ff24f84caf7c29371486b..d2fb34b90816c82a7b7072174e50ed40aaa5adf5 100644 (file)
--- a/ext/mysqli/php_mysqli_structs.h
+++ b/ext/mysqli/php_mysqli_structs.h
@@ -116,6 +116,10 @@ typedef struct {
        BIND_BUFFER     param;
        BIND_BUFFER     result;
        char            *query;
+#ifndef MYSQLI_USE_MYSQLND
+       /* used to manage refcount with libmysql (already implement in mysqlnd) */
+       zend_object_handle link_handle;
+#endif
 } MY_STMT;
 
 typedef struct {