From: Nikita Popov <nikita.ppv@gmail.com>
Date: Wed, 10 Apr 2019 08:36:11 +0000 (+0200)
Subject: Fix use after free on pg_close() of default connection
X-Git-Tag: php-7.3.5RC1~18^2
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=b55715d61a908f7732d5a2bb6b20a105f372014a;p=php

Fix use after free on pg_close() of default connection
---

diff --git a/ext/pgsql/pgsql.c b/ext/pgsql/pgsql.c
index 1d989ae656..658b03baaf 100644
--- a/ext/pgsql/pgsql.c
+++ b/ext/pgsql/pgsql.c
@@ -90,7 +90,7 @@
 #define PQ_SETNONBLOCKING(pg_link, flag) 0
 #endif
 
-#define CHECK_DEFAULT_LINK(x) if ((x) == NULL) { php_error_docref(NULL, E_WARNING, "No PostgreSQL link opened yet"); }
+#define CHECK_DEFAULT_LINK(x) if ((x) == NULL) { php_error_docref(NULL, E_WARNING, "No PostgreSQL link opened yet"); RETURN_FALSE; }
 #define FETCH_DEFAULT_LINK()  PGG(default_link)
 
 #ifndef HAVE_PQFREEMEM
@@ -1559,13 +1559,15 @@ PHP_FUNCTION(pg_close)
 		return;
 	}
 
-	if (pgsql_link) {
-		link = Z_RES_P(pgsql_link);
-	} else {
-		link = FETCH_DEFAULT_LINK();
+	if (!pgsql_link) {
+		link = PGG(default_link);
 		CHECK_DEFAULT_LINK(link);
+		zend_list_delete(link);
+		PGG(default_link) = NULL;
+		RETURN_TRUE;
 	}
 
+	link = Z_RES_P(pgsql_link);
 	if (zend_fetch_resource2(link, "PostgreSQL link", le_link, le_plink) == NULL) {
 		RETURN_FALSE;
 	}
diff --git a/ext/pgsql/tests/close_default_link.phpt b/ext/pgsql/tests/close_default_link.phpt
new file mode 100644
index 0000000000..c73aa5460b
--- /dev/null
+++ b/ext/pgsql/tests/close_default_link.phpt
@@ -0,0 +1,15 @@
+--TEST--
+pg_close() default link after connection variable has been dropped
+--SKIPIF--
+<?php include("skipif.inc"); ?>
+--FILE--
+<?php
+include('config.inc');
+
+/* Run me under valgrind */
+$db1 = pg_connect($conn_str);
+unset($db1);
+var_dump(pg_close());
+?>
+--EXPECT--
+bool(true)