Fixed bug #70949 (SQL Result Sets With NULL Can Cause Fatal Memory Errors)

diff --git a/NEWS b/NEWS
index 635ba29b736beaf85535d6f9841c3b7b1d9dacaa..227ccdffd6d83faaac274cc8c3711aaea0f01cae 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -20,6 +20,8 @@ PHP                                                                        NEWS
     from an array. (Bob)
 
 - Mysqlnd:
+  . Fixed bug #70949 (SQL Result Sets With NULL Can Cause Fatal Memory Errors).
+    (Laruence)
   . Fixed bug #68077 (LOAD DATA LOCAL INFILE / open_basedir restriction).
     (Laruence)
 

diff --git a/ext/mysqli/tests/bug70949.phpt b/ext/mysqli/tests/bug70949.phpt
new file mode 100644 (file)
index 0000000..17f7f9d
--- /dev/null
+++ b/ext/mysqli/tests/bug70949.phpt
@@ -0,0 +1,62 @@
+--TEST--
+Bug #70949 (SQL Result Sets With NULL Can Cause Fatal Memory Errors)
+--SKIPIF--
+<?php
+require_once('skipif.inc');
+require_once('skipifconnectfailure.inc');
+require_once("connect.inc");
+if (!$IS_MYSQLND) {
+       die("skip mysqlnd only test");
+}
+?>
+--FILE--
+<?php
+require_once("connect.inc");
+$mysql = new my_mysqli($host, $user, $passwd, $db, $port, $socket);
+
+$mysql->query("DROP TABLE IF EXISTS bug70949");
+$mysql->query("CREATE TABLE bug70949(name varchar(255))");
+$mysql->query("INSERT INTO bug70949 VALUES ('dummy'),(NULL),('foo'),('bar')");
+
+$sql = "select * from bug70949";
+
+if ($stmt = $mysql->prepare($sql))
+{      
+       $stmt->attr_set(MYSQLI_STMT_ATTR_CURSOR_TYPE, MYSQLI_CURSOR_TYPE_READ_ONLY);
+
+       if ($stmt->bind_result($name)) {
+               {
+                       if ($stmt->execute())
+                       {
+                               while ($stmt->fetch())
+                               {       
+                                       var_dump($name);
+                               }
+                       }
+               }
+
+               $stmt->free_result();
+               $stmt->close();
+       }
+
+
+       $mysql->close();
+}
+
+?>
+--CLEAN--
+<?php
+require_once("connect.inc");
+if (!$link = my_mysqli_connect($host, $user, $passwd, $db, $port, $socket))
+   printf("[c001] [%d] %s\n", mysqli_connect_errno(), mysqli_connect_error());
+
+if (!mysqli_query($link, "DROP TABLE IF EXISTS bug70949"))
+       printf("[c002] Cannot drop table, [%d] %s\n", mysqli_errno($link), mysqli_error($link));
+
+mysqli_close($link);
+?>
+--EXPECT--
+string(5) "dummy"
+NULL
+string(3) "foo"
+string(3) "bar"

diff --git a/ext/mysqlnd/mysqlnd_ps.c b/ext/mysqlnd/mysqlnd_ps.c
index 767ba34ab0792e9e3c3c7231bc0e07a1b601dd7a..4ffea766746cc39170cd15eada4a78dc6a11d71e 100644 (file)
--- a/ext/mysqlnd/mysqlnd_ps.c
+++ b/ext/mysqlnd/mysqlnd_ps.c
@@ -1115,6 +1115,8 @@ mysqlnd_fetch_stmt_row_cursor(MYSQLND_RES * result, void * param, unsigned int f
                                                ZVAL_COPY_VALUE(result, data);
                                                /* copied data, thus also the ownership. Thus null data */
                                                ZVAL_NULL(data);
+                                       } else {
+                                               ZVAL_NULL(result);
                                        }
                                }
                        }