Fix bug #69899

NEWS

@@ -10,6 +10,10 @@ PHP                                                                        NEWS
   . Fixed bug #67583 (double fastcgi_end_request on max_children limit).
     (Dmitry Saprykin)
 
+- Mysqlnd:
+  . Fixed bug #69899 (segfault on close() after free_result() with mysqlnd).
+    (Richard Fussenegger)
+
 - OpenSSL:
   . Fixed bug #71519 (add serial hex to return value array). (xrobau)
 

ext/mysqli/tests/bug69899.phpt

@@ -0,0 +1,38 @@
+--TEST--
+Bug #69899: Segfault on stmt close after free_result with mysqlnd.
+--DESCRIPTION--
+The segfault happens only if the database connection was already closed and
+free_result is called on a prepared statement followed by closing that
+statement. This is due to mysqlnd_stmt::free_result (mysqlnd_ps.c) which
+unconditionally sets the connection of the statement to ready, despite the fact
+that it might already be closed.
+--SKIPIF--
+<?php
+require_once __DIR__ . '/skipif.inc';
+require_once __DIR__ . '/skipifconnectfailure.inc';
+require_once __DIR__ . '/connect.inc';
+if (!$IS_MYSQLND) {
+	die('mysqlnd only');
+}
+?>
+--FILE--
+<?php
+
+require_once __DIR__ . '/connect.inc';
+
+mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
+
+$mysqli = new mysqli($host, $user, $passwd, $db, $port, $socket);
+$stmt   = $mysqli->prepare('SELECT 1');
+
+var_dump(
+	$mysqli->close(),
+	$stmt->free_result(),
+	$stmt->close()
+);
+
+?>
+--EXPECT--
+bool(true)
+NULL
+bool(true)

ext/mysqlnd/mysqlnd_ps.c

@@ -2005,8 +2005,9 @@ MYSQLND_METHOD(mysqlnd_stmt, free_result)(MYSQLND_STMT * const s)
 		stmt->state = MYSQLND_STMT_PREPARED;
 	}
 
-	/* Line is free! */
-	CONN_SET_STATE(stmt->conn, CONN_READY);
+	if (CONN_GET_STATE(stmt->conn) != CONN_QUIT_SENT) {
+		CONN_SET_STATE(stmt->conn, CONN_READY);
+	}
 
 	DBG_RETURN(PASS);
 }