From: Ulf Wendel <uw@php.net>
Date: Mon, 14 Sep 2009 16:51:11 +0000 (+0000)
Subject: Backport of http://news.php.net/php.cvs/60381 to PHP 5_2 which fixes a potential... 
X-Git-Tag: php-5.2.11~6
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=58c34106896b4580e3115a5f6b3c530e2ef61c6e;p=php

Backport of http://news.php.net/php.cvs/60381 to PHP 5_2 which fixes a potential crash with ext/mysqli and Prepared Statements if the MySQL Server sends faulty metadata, see also http://news.php.net/php.cvs/60389 . I don't know of a way to crash PHP using a recent MySQL. But metadata has been a troublemaker in the past. Just in case...
---

diff --git a/ext/mysqli/mysqli_api.c b/ext/mysqli/mysqli_api.c
index 7cd6f32ddc..039a771f91 100644
--- a/ext/mysqli/mysqli_api.c
+++ b/ext/mysqli/mysqli_api.c
@@ -364,7 +364,7 @@ PHP_FUNCTION(mysqli_stmt_bind_result)
 				bind[ofs].buffer = stmt->result.buf[ofs].val;
 				bind[ofs].is_null = &stmt->result.is_null[ofs];
 				bind[ofs].buffer_length = stmt->result.buf[ofs].buflen;
-				bind[ofs].length = &stmt->result.buf[ofs].buflen;
+				bind[ofs].length = &stmt->result.buf[ofs].output_len;
 				break;
 			}
 			default:
@@ -735,7 +735,7 @@ PHP_FUNCTION(mysqli_stmt_fetch)
 #else
 							{
 #endif
-								ZVAL_STRINGL(stmt->result.vars[i], stmt->result.buf[i].val, stmt->result.buf[i].buflen, 1);
+								ZVAL_STRINGL(stmt->result.vars[i], stmt->result.buf[i].val, stmt->result.buf[i].output_len, 1);
 							}
 						}
 						break;
diff --git a/ext/mysqli/php_mysqli.h b/ext/mysqli/php_mysqli.h
index 04bdc017a8..d874703190 100644
--- a/ext/mysqli/php_mysqli.h
+++ b/ext/mysqli/php_mysqli.h
@@ -52,8 +52,9 @@ enum mysqli_status {
 };
 
 typedef struct {
+        char            *val;
 	ulong		buflen;
-	char		*val;
+        ulong           output_len;
 	ulong		type;
 } VAR_BUFFER;