Fix bug #77955

Free metadata before freeing the arena. I don't have a repro script, but the added assertion fails for many existing tests prior to this change.
2024-11-24 02:15:04 +08:00 · 2019-05-23 12:29:08 +02:00 · 2019-05-23 12:29:08 +02:00 · 6f9dfd9473
commit 6f9dfd9473
parent b394654c1e
3 changed files with 18 additions and 2 deletions
--- a/4
+++ b/4
@ -14,6 +14,10 @@ PHP                                                                        NEWS
  . Fixed bug #77956 (When mysqli.allow_local_infile = Off, use a meaningful
    error message). (Sjon Hortensius)

+- MySQLnd:
+  . Fixed bug #77955 (Random segmentation fault in mysqlnd from php-fpm).
+    (Nikita)
+
 - Opcache:
  . Fixed bug #78015 (Incorrect evaluation of expressions involving partials
    arrays in SCCP). (Nikita)
--- a/Zend/zend_arena.h
+++ b/Zend/zend_arena.h
@ -110,6 +110,17 @@ static zend_always_inline void zend_arena_release(zend_arena **arena_ptr, void *
 	arena->ptr = (char*)checkpoint;
 }

+static zend_always_inline zend_bool zend_arena_contains(zend_arena *arena, void *ptr)
+{
+	while (arena) {
+		if ((char*)ptr > (char*)arena && (char*)ptr <= arena->ptr) {
+			return 1;
+		}
+		arena = arena->prev;
+	}
+	return 0;
+}
+
 #endif /* _ZEND_ARENA_H_ */

 /*
--- a/ext/mysqlnd/mysqlnd_result.c
+++ b/ext/mysqlnd/mysqlnd_result.c
@ -294,13 +294,14 @@ void MYSQLND_METHOD(mysqlnd_res, free_result_contents_internal)(MYSQLND_RES * re
 {
 	DBG_ENTER("mysqlnd_res::free_result_contents_internal");

-	result->m.free_result_buffers(result);
-
 	if (result->meta) {
+		ZEND_ASSERT(zend_arena_contains(result->memory_pool->arena, result->meta));
 		result->meta->m->free_metadata(result->meta);
 		result->meta = NULL;
 	}

+	result->m.free_result_buffers(result);
+
 	DBG_VOID_RETURN;
 }
 /* }}} */