Fix mysqlnd memory leak

nikic · nikic · commit f365d0e00ed9 · 2019-06-28T09:18:32.000+02:00
The actual leak is observed in ext/pdo_mysql/tests/bug_74376.phpt.
The persistent connection leaks because a refcount decrement on a
result is missed. The refcount decrement is missed because
free_result_contents is used, rather than free_result.

Looking at other uses of free_result_contents, it looks like they
could also suffer from this problem. Apart from one case,
free_result_contents is always used to release the result entirely
(I've adjusted the one differing case to only free meta), so I'm
moving most of the logic from free_result into free_result_contents.
The only difference is now that free_result will skip_result first.
diff --git a/ext/mysqlnd/mysqlnd_ps.c b/ext/mysqlnd/mysqlnd_ps.c
@@ -122,7 +122,6 @@ MYSQLND_METHOD(mysqlnd_stmt, store_result)(MYSQLND_STMT * const s)
 	} else {
 		COPY_CLIENT_ERROR(conn->error_info, result->stored_data->error_info);
 		stmt->result->m.free_result_contents(stmt->result);
-		mysqlnd_mempool_destroy(stmt->result->memory_pool);
 		stmt->result = NULL;
 		stmt->state = MYSQLND_STMT_PREPARED;
 	}
@@ -341,7 +340,6 @@ mysqlnd_stmt_prepare_read_eof(MYSQLND_STMT * s)
 	if (FAIL == (ret = PACKET_READ(conn, &fields_eof))) {
 		if (stmt->result) {
 			stmt->result->m.free_result_contents(stmt->result);
-			mnd_efree(stmt->result);
 			/* XXX: This will crash, because we will null also the methods.
 				But seems it happens in extreme cases or doesn't. Should be fixed by exporting a function
 				(from mysqlnd_driver.c?) to do the reset.
diff --git a/ext/mysqlnd/mysqlnd_result.c b/ext/mysqlnd/mysqlnd_result.c
@@ -302,6 +302,13 @@ void MYSQLND_METHOD(mysqlnd_res, free_result_contents_internal)(MYSQLND_RES * re
 
 	result->m.free_result_buffers(result);
 
+	if (result->conn) {
+		result->conn->m->free_reference(result->conn);
+		result->conn = NULL;
+	}
+
+	mysqlnd_mempool_destroy(result->memory_pool);
+
 	DBG_VOID_RETURN;
 }
 /* }}} */
@@ -312,17 +319,10 @@ static
 void MYSQLND_METHOD(mysqlnd_res, free_result_internal)(MYSQLND_RES * result)
 {
 	DBG_ENTER("mysqlnd_res::free_result_internal");
-	result->m.skip_result(result);
 
+	result->m.skip_result(result);
 	result->m.free_result_contents(result);
 
-	if (result->conn) {
-		result->conn->m->free_reference(result->conn);
-		result->conn = NULL;
-	}
-
-	mysqlnd_mempool_destroy(result->memory_pool);
-
 	DBG_VOID_RETURN;
 }
 /* }}} */
@@ -355,7 +355,8 @@ MYSQLND_METHOD(mysqlnd_res, read_result_metadata)(MYSQLND_RES * result, MYSQLND_
 
 	/* It's safe to reread without freeing */
 	if (FAIL == result->meta->m->read_metadata(result->meta, conn, result)) {
-		result->m.free_result_contents(result);
+		result->meta->m->free_metadata(result->meta);
+		result->meta = NULL;
 		DBG_RETURN(FAIL);
 	}
 	/* COM_FIELD_LIST is broken and has premature EOF, thus we need to hack here and in mysqlnd_res_meta.c */
@@ -517,7 +518,6 @@ mysqlnd_query_read_result_set_header(MYSQLND_CONN_DATA * conn, MYSQLND_STMT * s)
 				if (FAIL == (ret = PACKET_READ(conn, &fields_eof))) {
 					DBG_ERR("Error occurred while reading the EOF packet");
 					result->m.free_result_contents(result);
-					mysqlnd_mempool_destroy(result->memory_pool);
 					if (!stmt) {
 						conn->current_result = NULL;
 					} else {
