Fixing a leak in mysqlnd when passing invalid fetch modes to mysqlnd.

diff --git a/ext/mysql/php_mysql.c b/ext/mysql/php_mysql.c
index aaee07bc6a8e811797dd8c077e20976e5304f8bd..694640f59cb6b444c7276c9449bdae9d061ff8f6 100644 (file)
--- a/ext/mysql/php_mysql.c
+++ b/ext/mysql/php_mysql.c
@@ -1972,7 +1972,7 @@ static void php_mysql_fetch_hash(INTERNAL_FUNCTION_PARAMETERS, int result_type,
                }
        }
 
-       if ((result_type & MYSQL_BOTH) == 0) {
+       if (result_type & ~MYSQL_BOTH) {
                php_error_docref(NULL TSRMLS_CC, E_WARNING, "The result type should be either MYSQL_NUM, MYSQL_ASSOC or MYSQL_BOTH");
                result_type = MYSQL_BOTH;
        }
@@ -2149,6 +2149,11 @@ PHP_FUNCTION(mysql_fetch_array)
        }
        ZEND_FETCH_RESOURCE(result, MYSQL_RES *, &mysql_result, -1, "MySQL result", le_result);
 
+       if (mode & ~MYSQL_BOTH) {
+                php_error_docref(NULL TSRMLS_CC, E_WARNING, "The result type should be either MYSQL_NUM, MYSQL_ASSOC or MYSQL_BOTH");
+                mode = MYSQL_BOTH;
+        }
+
        mysqlnd_fetch_into(result, mode, return_value, MYSQLND_MYSQL);
 #endif
 }

diff --git a/ext/mysql/tests/mysql_fetch_array.phpt b/ext/mysql/tests/mysql_fetch_array.phpt
index 924c71750195fdf89f910ae59528c3ce975d5bcd..635e6d1097f8387a4f23609f172e2aeb63e292f3 100644 (file)
--- a/ext/mysql/tests/mysql_fetch_array.phpt
+++ b/ext/mysql/tests/mysql_fetch_array.phpt
@@ -56,7 +56,7 @@ exit(1);
 do {
        $illegal_mode = mt_rand(0, 10000);
 } while (in_array($illegal_mode, array(MYSQL_ASSOC, MYSQL_NUM, MYSQL_BOTH)));
-$tmp = @mysql_fetch_array($res, $illegal_mode);
+$tmp = mysql_fetch_array($res, $illegal_mode);
 if (!is_array($tmp))
        printf("[013] Expecting array, got %s/%s. [%d] %s\n",
                gettype($tmp), $tmp, mysql_errno($link), mysql_error($link));
@@ -355,5 +355,7 @@ array(11) {
   %unicode|string%(1) "1"
 }
 
+Warning: mysql_fetch_array(): The result type should be either MYSQL_NUM, MYSQL_ASSOC or MYSQL_BOTH in %s on line %d
+
 Warning: mysql_fetch_array(): %d is not a valid MySQL result resource in %s on line %d
 done!

diff --git a/ext/mysqlnd/mysqlnd_result.c b/ext/mysqlnd/mysqlnd_result.c
index 56969944aa09f32869b9532f55350479fa5538b0..6c3bc140797fd7a9a7c195d893ca2777e6c599a9 100644 (file)
--- a/ext/mysqlnd/mysqlnd_result.c
+++ b/ext/mysqlnd/mysqlnd_result.c
@@ -901,13 +901,8 @@ mysqlnd_fetch_row_unbuffered(MYSQLND_RES *result, void *param, unsigned int flag
                                        lengths[i] = len;
                                }
 
-                               /* Forbid ZE to free it, we will clean it */
-                               Z_ADDREF_P(data);
-
-                               if ((flags & MYSQLND_FETCH_BOTH) == MYSQLND_FETCH_BOTH) {
-                                       Z_ADDREF_P(data);
-                               }
                                if (flags & MYSQLND_FETCH_NUM) {
+                                       Z_ADDREF_P(data);
                                        zend_hash_next_index_insert(row_ht, &data, sizeof(zval *), NULL);
                                }
                                if (flags & MYSQLND_FETCH_ASSOC) {
@@ -918,6 +913,7 @@ mysqlnd_fetch_row_unbuffered(MYSQLND_RES *result, void *param, unsigned int flag
                                          the index is a numeric and convert it to it. This however means constant
                                          hashing of the column name, which is not needed as it can be precomputed.
                                        */
+                                       Z_ADDREF_P(data);
                                        if (zend_hash_key->is_numeric == FALSE) {
 #if PHP_MAJOR_VERSION >= 6
                                                zend_u_hash_quick_update(Z_ARRVAL_P(row), IS_UNICODE,
@@ -1128,16 +1124,8 @@ mysqlnd_fetch_row_buffered(MYSQLND_RES *result, void *param, unsigned int flags,
                for (i = 0; i < result->field_count; i++, field++, zend_hash_key++) {
                        zval *data = current_row[i];
 
-                       /*
-                         Let us later know what to do with this zval. If ref_count > 1, we will just
-                         decrease it, otherwise free it. zval_ptr_dtor() make this very easy job.
-                       */
-                       Z_ADDREF_P(data);
-                       
-                       if ((flags & MYSQLND_FETCH_BOTH) == MYSQLND_FETCH_BOTH) {
-                               Z_ADDREF_P(data);
-                       }
                        if (flags & MYSQLND_FETCH_NUM) {
+                               Z_ADDREF_P(data);
                                zend_hash_next_index_insert(Z_ARRVAL_P(row), &data, sizeof(zval *), NULL);
                        }
                        if (flags & MYSQLND_FETCH_ASSOC) {
@@ -1148,6 +1136,7 @@ mysqlnd_fetch_row_buffered(MYSQLND_RES *result, void *param, unsigned int flags,
                                  the index is a numeric and convert it to it. This however means constant
                                  hashing of the column name, which is not needed as it can be precomputed.
                                */
+                               Z_ADDREF_P(data);
                                if (zend_hash_key->is_numeric == FALSE) {
 #if PHP_MAJOR_VERSION >= 6
                                        zend_u_hash_quick_update(Z_ARRVAL_P(row), IS_UNICODE,