Fix use after free on pg_close() of default connection

diff --git a/ext/pgsql/pgsql.c b/ext/pgsql/pgsql.c
index 1d989ae6563e69a219cc00feaf7445546c696362..658b03baaf10e30e1f36ed2a2e1587c92ff050b6 100644 (file)
--- a/ext/pgsql/pgsql.c
+++ b/ext/pgsql/pgsql.c
@@ -90,7 +90,7 @@
 #define PQ_SETNONBLOCKING(pg_link, flag) 0
 #endif
 
-#define CHECK_DEFAULT_LINK(x) if ((x) == NULL) { php_error_docref(NULL, E_WARNING, "No PostgreSQL link opened yet"); }
+#define CHECK_DEFAULT_LINK(x) if ((x) == NULL) { php_error_docref(NULL, E_WARNING, "No PostgreSQL link opened yet"); RETURN_FALSE; }
 #define FETCH_DEFAULT_LINK()  PGG(default_link)
 
 #ifndef HAVE_PQFREEMEM
@@ -1559,13 +1559,15 @@ PHP_FUNCTION(pg_close)
                return;
        }
 
-       if (pgsql_link) {
-               link = Z_RES_P(pgsql_link);
-       } else {
-               link = FETCH_DEFAULT_LINK();
+       if (!pgsql_link) {
+               link = PGG(default_link);
                CHECK_DEFAULT_LINK(link);
+               zend_list_delete(link);
+               PGG(default_link) = NULL;
+               RETURN_TRUE;
        }
 
+       link = Z_RES_P(pgsql_link);
        if (zend_fetch_resource2(link, "PostgreSQL link", le_link, le_plink) == NULL) {
                RETURN_FALSE;
        }

diff --git a/ext/pgsql/tests/close_default_link.phpt b/ext/pgsql/tests/close_default_link.phpt
new file mode 100644 (file)
index 0000000..c73aa54
--- /dev/null
+++ b/ext/pgsql/tests/close_default_link.phpt
@@ -0,0 +1,15 @@
+--TEST--
+pg_close() default link after connection variable has been dropped
+--SKIPIF--
+<?php include("skipif.inc"); ?>
+--FILE--
+<?php
+include('config.inc');
+
+/* Run me under valgrind */
+$db1 = pg_connect($conn_str);
+unset($db1);
+var_dump(pg_close());
+?>
+--EXPECT--
+bool(true)