From: Anatol Belski <ab@php.net>
Date: Mon, 12 Mar 2018 19:57:21 +0000 (+0100)
Subject: Fix heap use after free
X-Git-Tag: php-7.2.4RC1~7^2
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=4cd64aad8ad2f85de4a3a1ab8b83ae6108ce9388;p=php

Fix heap use after free

The value may only be used until PGresult was destroyed, thus it needs
to be copied.
---

diff --git a/ext/pdo_pgsql/pgsql_statement.c b/ext/pdo_pgsql/pgsql_statement.c
index 2d8e3c2fcf..b401917669 100644
--- a/ext/pdo_pgsql/pgsql_statement.c
+++ b/ext/pdo_pgsql/pgsql_statement.c
@@ -618,11 +618,13 @@ static zend_always_inline char * pdo_pgsql_translate_oid_to_table(Oid oid, PGcon
 	}
 	efree(querystr);
 
-	if ((table_name = PQgetvalue(tmp_res, 0, 0)) == NULL) {
+	if (1 == PQgetisnull(tmp_res, 0, 0) || (table_name = PQgetvalue(tmp_res, 0, 0)) == NULL) {
 		PQclear(tmp_res);
 		return 0;
 	}
 
+	table_name = estrdup(table_name);
+
 	PQclear(tmp_res);
 	return table_name;
 }
@@ -652,6 +654,7 @@ static int pgsql_stmt_get_column_meta(pdo_stmt_t *stmt, zend_long colno, zval *r
 	table_name = pdo_pgsql_translate_oid_to_table(table_oid, S->H->server);
 	if (table_name) {
 		add_assoc_string(return_value, "table", table_name);
+		efree(table_name);
 	}
 
 	switch (S->cols[colno].pgsql_type) {