From: Antony Dovgal <tony2001@php.net>
Date: Sun, 30 Jul 2006 20:51:24 +0000 (+0000)
Subject: MFH: fix #38173 (Freeing nested cursors causes OCI8 to segfault)
X-Git-Tag: php-5.2.0RC2~145
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=aa1ced04cba02a3052a99220183f730254ca4a60;p=php

MFH: fix #38173 (Freeing nested cursors causes OCI8 to segfault)
---

diff --git a/NEWS b/NEWS
index c2af209c85..c0823fbf0c 100644
--- a/NEWS
+++ b/NEWS
@@ -40,6 +40,7 @@ PHP                                                                        NEWS
   execution). (Dmitry)
 - Fixed bug #38194 (ReflectionClass::isSubclassOf() returns TRUE for the class
   itself). (Ilia)
+- Fixed bug #38173 (Freeing nested cursors causes OCI8 to segfault). (Tony)
 - Fixed bug #38132 (ReflectionClass::getStaticProperties() retains \0 in key
   names). (Ilia)
 - Fixed bug #38047 ("file" and "line" sometimes not set in backtrace from
diff --git a/ext/oci8/oci8_interface.c b/ext/oci8/oci8_interface.c
index f934b1c52d..6964cc3e1a 100644
--- a/ext/oci8/oci8_interface.c
+++ b/ext/oci8/oci8_interface.c
@@ -1483,7 +1483,10 @@ PHP_FUNCTION(oci_free_statement)
 	}
 
 	PHP_OCI_ZVAL_TO_STATEMENT(z_statement, statement);
-	zend_list_delete(statement->id);
+	if (!statement->nested) {
+		/* nested cursors cannot be freed, they are allocated once and used during the fetch */
+		zend_list_delete(statement->id);
+	}
 	
 	RETURN_TRUE;
 }
diff --git a/ext/oci8/oci8_statement.c b/ext/oci8/oci8_statement.c
index 16a2b7e182..32cf84d913 100644
--- a/ext/oci8/oci8_statement.c
+++ b/ext/oci8/oci8_statement.c
@@ -94,6 +94,7 @@ php_oci_statement *php_oci_statement_create (php_oci_connection *connection, cha
 
 	statement->connection = connection;
 	statement->has_data = 0;
+	statement->nested = 0;
 
 	if (OCI_G(default_prefetch) > 0) {
 		php_oci_statement_set_prefetch(statement, OCI_G(default_prefetch) TSRMLS_CC);
@@ -443,6 +444,7 @@ int php_oci_statement_execute(php_oci_statement *statement, ub4 mode TSRMLS_DC)
 				case SQLT_RSET:
 					outcol->statement = php_oci_statement_create(statement->connection, NULL, 0, 0 TSRMLS_CC);
 					outcol->stmtid = outcol->statement->id;
+					outcol->statement->nested = 1;
 
 					define_type = SQLT_RSET;
 					outcol->is_cursor = 1;
diff --git a/ext/oci8/php_oci8_int.h b/ext/oci8/php_oci8_int.h
index 638cd2391a..b3e2c46137 100644
--- a/ext/oci8/php_oci8_int.h
+++ b/ext/oci8/php_oci8_int.h
@@ -166,6 +166,7 @@ typedef struct { /* php_oci_statement {{{ */
 	int ncolumns;					/* number of columns in the result */
 	unsigned executed:1;			/* statement executed flag */
 	unsigned has_data:1;			/* statement has more data flag */
+	unsigned nested:1;			/* statement handle is valid */
 	ub2 stmttype;					/* statement type */
 } php_oci_statement; /* }}} */
 
diff --git a/ext/oci8/tests/bug38173.phpt b/ext/oci8/tests/bug38173.phpt
new file mode 100644
index 0000000000..b92df9e39e
--- /dev/null
+++ b/ext/oci8/tests/bug38173.phpt
@@ -0,0 +1,79 @@
+--TEST--
+Bug #38173 (Freeing nested cursors causes OCI8 to segfault)
+--SKIPIF--
+<?php if (!extension_loaded('oci8')) die("skip no oci8 extension"); ?>
+--FILE--
+<?php
+
+require dirname(__FILE__)."/connect.inc";
+
+$create_1 = "CREATE TABLE t1 (id INTEGER)";
+$create_2 = "CREATE TABLE t2 (id INTEGER)";
+$drop_1 = "DROP TABLE t1";
+$drop_2 = "DROP TABLE t2";
+
+$s1 = oci_parse($c, $drop_1);
+$s2 = oci_parse($c, $drop_2);
+@oci_execute($s1);
+@oci_execute($s2);
+
+$s1 = oci_parse($c, $create_1);
+$s2 = oci_parse($c, $create_2);
+oci_execute($s1);
+oci_execute($s2);
+
+for($i=0; $i < 5; $i++) {
+	$insert = "INSERT INTO t1 VALUES(".$i.")";
+	$s = oci_parse($c, $insert);
+	oci_execute($s);
+}
+
+for($i=0; $i < 5; $i++) {
+	$insert = "INSERT INTO t2 VALUES(".$i.")";
+	$s = oci_parse($c, $insert);
+	oci_execute($s);
+}
+
+$query ="
+SELECT
+  t1.*,
+  CURSOR( SELECT * FROM t2 ) as cursor
+FROM
+  t1
+";
+
+$sth = oci_parse($c, $query);
+oci_execute($sth);
+
+// dies on oci_free_statement on 2nd pass through loop
+while ( $row = oci_fetch_assoc($sth) ) {
+  print "Got row!\n";
+  var_dump(oci_execute($row['CURSOR']));
+  var_dump(oci_free_statement($row['CURSOR']));
+}
+
+$s1 = oci_parse($c, $drop_1);
+$s2 = oci_parse($c, $drop_2);
+@oci_execute($s1);
+@oci_execute($s2);
+
+echo "Done\n";
+
+?>
+--EXPECT--
+Got row!
+bool(true)
+bool(true)
+Got row!
+bool(true)
+bool(true)
+Got row!
+bool(true)
+bool(true)
+Got row!
+bool(true)
+bool(true)
+Got row!
+bool(true)
+bool(true)
+Done