Skip to content

Commit

Permalink
Fix use after free on pg_close() of default connection
Browse files Browse the repository at this point in the history
  • Loading branch information
@nikic
nikic committed Apr 10, 2019
1 parent 7b8212f commit b55715d
Show file tree
Hide file tree
Showing 2 changed files with 22 additions and 5 deletions.
12 changes: 7 additions & 5 deletions ext/pgsql/pgsql.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -90,7 +90,7 @@
#define PQ_SETNONBLOCKING(pg_link, flag) 0
#endif

#define CHECK_DEFAULT_LINK(x) if ((x) == NULL) { php_error_docref(NULL, E_WARNING, "No PostgreSQL link opened yet"); }
#define CHECK_DEFAULT_LINK(x) if ((x) == NULL) { php_error_docref(NULL, E_WARNING, "No PostgreSQL link opened yet"); RETURN_FALSE; }
#define FETCH_DEFAULT_LINK() PGG(default_link)

#ifndef HAVE_PQFREEMEM
Expand Down Expand Up @@ -1559,13 +1559,15 @@ PHP_FUNCTION(pg_close)
return;
}

if (pgsql_link) {
link = Z_RES_P(pgsql_link);
} else {
link = FETCH_DEFAULT_LINK();
if (!pgsql_link) {
link = PGG(default_link);
CHECK_DEFAULT_LINK(link);
zend_list_delete(link);
PGG(default_link) = NULL;
RETURN_TRUE;
}

link = Z_RES_P(pgsql_link);
if (zend_fetch_resource2(link, "PostgreSQL link", le_link, le_plink) == NULL) {
RETURN_FALSE;
}
Expand Down
15 changes: 15 additions & 0 deletions ext/pgsql/tests/close_default_link.phpt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
--TEST--
pg_close() default link after connection variable has been dropped
--SKIPIF--
<?php include("skipif.inc"); ?>
--FILE--
<?php
include('config.inc');

/* Run me under valgrind */
$db1 = pg_connect($conn_str);
unset($db1);
var_dump(pg_close());
?>
--EXPECT--
bool(true)

0 comments on commit b55715d

Please sign in to comment.