From a347b0be48d892c105198b23868f37a0d4f92dee Mon Sep 17 00:00:00 2001
From: Xinchen Hui <laruence@gmail.com>
Date: Fri, 27 Nov 2015 15:52:55 +0800
Subject: [PATCH] Fixed bug #70949 (SQL Result Sets With NULL Can Cause Fatal
 Memory Errors)

---
 NEWS                           |  2 ++
 ext/mysqli/tests/bug70949.phpt | 62 ++++++++++++++++++++++++++++++++++
 ext/mysqlnd/mysqlnd_ps.c       |  2 ++
 3 files changed, 66 insertions(+)
 create mode 100644 ext/mysqli/tests/bug70949.phpt

diff --git a/NEWS b/NEWS
index 635ba29b73..227ccdffd6 100644
--- a/NEWS
+++ b/NEWS
@@ -20,6 +20,8 @@ PHP                                                                        NEWS
     from an array. (Bob)
 
 - Mysqlnd:
+  . Fixed bug #70949 (SQL Result Sets With NULL Can Cause Fatal Memory Errors).
+    (Laruence)
   . Fixed bug #68077 (LOAD DATA LOCAL INFILE / open_basedir restriction).
     (Laruence)
 
diff --git a/ext/mysqli/tests/bug70949.phpt b/ext/mysqli/tests/bug70949.phpt
new file mode 100644
index 0000000000..17f7f9d96b
--- /dev/null
+++ b/ext/mysqli/tests/bug70949.phpt
@@ -0,0 +1,62 @@
+--TEST--
+Bug #70949 (SQL Result Sets With NULL Can Cause Fatal Memory Errors)
+--SKIPIF--
+<?php
+require_once('skipif.inc');
+require_once('skipifconnectfailure.inc');
+require_once("connect.inc");
+if (!$IS_MYSQLND) {
+	die("skip mysqlnd only test");
+}
+?>
+--FILE--
+<?php
+require_once("connect.inc");
+$mysql = new my_mysqli($host, $user, $passwd, $db, $port, $socket);
+
+$mysql->query("DROP TABLE IF EXISTS bug70949");
+$mysql->query("CREATE TABLE bug70949(name varchar(255))");
+$mysql->query("INSERT INTO bug70949 VALUES ('dummy'),(NULL),('foo'),('bar')");
+
+$sql = "select * from bug70949";
+
+if ($stmt = $mysql->prepare($sql))
+{	
+	$stmt->attr_set(MYSQLI_STMT_ATTR_CURSOR_TYPE, MYSQLI_CURSOR_TYPE_READ_ONLY);
+
+	if ($stmt->bind_result($name)) {
+		{
+			if ($stmt->execute())
+			{
+				while ($stmt->fetch())
+				{	
+					var_dump($name);
+				}
+			}
+		}
+
+		$stmt->free_result();
+		$stmt->close();
+	}
+
+
+	$mysql->close();
+}
+
+?>
+--CLEAN--
+<?php
+require_once("connect.inc");
+if (!$link = my_mysqli_connect($host, $user, $passwd, $db, $port, $socket))
+   printf("[c001] [%d] %s\n", mysqli_connect_errno(), mysqli_connect_error());
+
+if (!mysqli_query($link, "DROP TABLE IF EXISTS bug70949"))
+	printf("[c002] Cannot drop table, [%d] %s\n", mysqli_errno($link), mysqli_error($link));
+
+mysqli_close($link);
+?>
+--EXPECT--
+string(5) "dummy"
+NULL
+string(3) "foo"
+string(3) "bar"
diff --git a/ext/mysqlnd/mysqlnd_ps.c b/ext/mysqlnd/mysqlnd_ps.c
index 767ba34ab0..4ffea76674 100644
--- a/ext/mysqlnd/mysqlnd_ps.c
+++ b/ext/mysqlnd/mysqlnd_ps.c
@@ -1115,6 +1115,8 @@ mysqlnd_fetch_stmt_row_cursor(MYSQLND_RES * result, void * param, unsigned int f
 						ZVAL_COPY_VALUE(result, data);
 						/* copied data, thus also the ownership. Thus null data */
 						ZVAL_NULL(data);
+					} else {
+						ZVAL_NULL(result);
 					}
 				}
 			}
-- 
2.40.0