From 2311ba7d3ff08d27bd7d4b87b51a0f96c5d62d12 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Johannes=20Schl=C3=BCter?= Date: Tue, 21 Jan 2014 16:28:30 +0100 Subject: Fix bug #66283 (Segmentation fault after memory_limit) There are situations where mysqlnd dupliates zvals while freeing result sets. If the memory_limit is reached during this operation the engine will bailout. This patch makes sure that a later attempt (during RSHIUTDOWN) won't cause a double free, instead we rely on the engine to free emalloc()ed memory after bailout. --- NEWS | 3 +++ ext/mysqlnd/mysqlnd_result.c | 7 ++++--- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/NEWS b/NEWS index f542bcfd49..7715e2a68f 100644 --- a/NEWS +++ b/NEWS @@ -6,6 +6,9 @@ PHP NEWS . Fixed bug #66286 (Incorrect object comparison with inheritance). (Nikita) . Fixed bug #66509 (copy() arginfo has changed starting from 5.4). (willfitch) +- mysqlnd + . Fixed bug #66283 (Segmentation fault after memory_limit). (Johannes) + - PDO_pgsql: . Fixed bug #62479 (PDO-psql cannot connect if password contains spaces) (willfitch, iliaa) diff --git a/ext/mysqlnd/mysqlnd_result.c b/ext/mysqlnd/mysqlnd_result.c index cb15657601..0814926483 100644 --- a/ext/mysqlnd/mysqlnd_result.c +++ b/ext/mysqlnd/mysqlnd_result.c @@ -198,9 +198,11 @@ MYSQLND_METHOD(mysqlnd_res, free_buffered_data)(MYSQLND_RES * result TSRMLS_DC) if (set->data) { unsigned int copy_on_write_performed = 0; unsigned int copy_on_write_saved = 0; + zval **data = set->data; + set->data = NULL; /* prevent double free if following loop is interrupted */ for (row = set->row_count - 1; row >= 0; row--) { - zval **current_row = set->data + row * field_count; + zval **current_row = data + row * field_count; MYSQLND_MEMORY_POOL_CHUNK *current_buffer = set->row_buffers[row]; int64_t col; @@ -222,8 +224,7 @@ MYSQLND_METHOD(mysqlnd_res, free_buffered_data)(MYSQLND_RES * result TSRMLS_DC) MYSQLND_INC_GLOBAL_STATISTIC_W_VALUE2(STAT_COPY_ON_WRITE_PERFORMED, copy_on_write_performed, STAT_COPY_ON_WRITE_SAVED, copy_on_write_saved); - mnd_efree(set->data); - set->data = NULL; + mnd_efree(data); } if (set->row_buffers) { -- cgit v1.2.1