From b7488a617cfc74946d0409e9682ff1ef86d2441d Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Fri, 16 Aug 2024 18:37:58 +0200 Subject: [PATCH 1/5] Fix GH-15432: Heap corruption when querying a vector Since the mysqlnd result set is arena allocated, we must not simply free it, but rather call the appropriate `free_result` method. --- ext/mysqli/tests/gh15432.phpt | 24 ++++++++++++++++++++++++ ext/mysqlnd/mysqlnd_result.c | 2 +- ext/pdo_mysql/tests/gh15432.phpt | 22 ++++++++++++++++++++++ 3 files changed, 47 insertions(+), 1 deletion(-) create mode 100644 ext/mysqli/tests/gh15432.phpt create mode 100644 ext/pdo_mysql/tests/gh15432.phpt diff --git a/ext/mysqli/tests/gh15432.phpt b/ext/mysqli/tests/gh15432.phpt new file mode 100644 index 0000000000000..50f9754fd4ebc --- /dev/null +++ b/ext/mysqli/tests/gh15432.phpt @@ -0,0 +1,24 @@ +--TEST-- +Bug GH-15432 (Heap corruption when querying a vector) +--EXTENSIONS-- +mysqli +--SKIPIF-- +server_version < 90000) { + die("skip ads"); +} +?> +--FILE-- +query('SELECT STRING_TO_VECTOR("[1.05, -17.8, 32]")')); +?> +--EXPECTF-- +Warning: mysqli::query(): Unknown type 242 sent by the server. Please send a report to the developers in %s on line %d +bool(false) diff --git a/ext/mysqlnd/mysqlnd_result.c b/ext/mysqlnd/mysqlnd_result.c index cf091a802bb66..4ae68824e9cf6 100644 --- a/ext/mysqlnd/mysqlnd_result.c +++ b/ext/mysqlnd/mysqlnd_result.c @@ -302,7 +302,7 @@ mysqlnd_query_read_result_set_header(MYSQLND_CONN_DATA * conn, MYSQLND_STMT * s) if (FAIL == (ret = result->m.read_result_metadata(result, conn))) { /* For PS, we leave them in Prepared state */ if (!stmt && conn->current_result) { - mnd_efree(conn->current_result); + result->m.free_result(result, TRUE); conn->current_result = NULL; } DBG_ERR("Error occurred while reading metadata"); diff --git a/ext/pdo_mysql/tests/gh15432.phpt b/ext/pdo_mysql/tests/gh15432.phpt new file mode 100644 index 0000000000000..97ae8a87cdead --- /dev/null +++ b/ext/pdo_mysql/tests/gh15432.phpt @@ -0,0 +1,22 @@ +--TEST-- +Bug GH-15432 (Heap corruption when querying a vector) +--EXTENSIONS-- +pdo_mysql +--SKIPIF-- + +--FILE-- +query('SELECT STRING_TO_VECTOR("[1.05, -17.8, 32]")')); +?> +--EXPECTF-- +Warning: PDO::query(): Unknown type 242 sent by the server. Please send a report to the developers in %s on line %d +bool(false) From ee9853035437011023586bc0495800e63236b4cf Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Fri, 16 Aug 2024 20:03:33 +0200 Subject: [PATCH 2/5] Drop pdo_mysql test See . --- ext/pdo_mysql/tests/gh15432.phpt | 22 ---------------------- 1 file changed, 22 deletions(-) delete mode 100644 ext/pdo_mysql/tests/gh15432.phpt diff --git a/ext/pdo_mysql/tests/gh15432.phpt b/ext/pdo_mysql/tests/gh15432.phpt deleted file mode 100644 index 97ae8a87cdead..0000000000000 --- a/ext/pdo_mysql/tests/gh15432.phpt +++ /dev/null @@ -1,22 +0,0 @@ ---TEST-- -Bug GH-15432 (Heap corruption when querying a vector) ---EXTENSIONS-- -pdo_mysql ---SKIPIF-- - ---FILE-- -query('SELECT STRING_TO_VECTOR("[1.05, -17.8, 32]")')); -?> ---EXPECTF-- -Warning: PDO::query(): Unknown type 242 sent by the server. Please send a report to the developers in %s on line %d -bool(false) From 8a8e0410d2e269cef96d551ecc646f006ef7ab7e Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Fri, 16 Aug 2024 20:49:28 +0200 Subject: [PATCH 3/5] Update ext/mysqli/tests/gh15432.phpt Co-authored-by: Kamil Tekiela --- ext/mysqli/tests/gh15432.phpt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ext/mysqli/tests/gh15432.phpt b/ext/mysqli/tests/gh15432.phpt index 50f9754fd4ebc..680d389678468 100644 --- a/ext/mysqli/tests/gh15432.phpt +++ b/ext/mysqli/tests/gh15432.phpt @@ -10,7 +10,7 @@ if ($link === false) { die(sprintf("skip Can't connect to MySQL Server - [%d] %s", mysqli_connect_errno(), mysqli_connect_error())); } if ($link->server_version < 90000) { - die("skip ads"); + die("skip MySQL 9.0.0+ needed"); } ?> --FILE-- From dbdeeffbc6963635c20e85026d0125e34a626429 Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Fri, 16 Aug 2024 20:53:23 +0200 Subject: [PATCH 4/5] Update ext/mysqlnd/mysqlnd_result.c --- ext/mysqlnd/mysqlnd_result.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ext/mysqlnd/mysqlnd_result.c b/ext/mysqlnd/mysqlnd_result.c index 4ae68824e9cf6..43983279e7705 100644 --- a/ext/mysqlnd/mysqlnd_result.c +++ b/ext/mysqlnd/mysqlnd_result.c @@ -302,7 +302,7 @@ mysqlnd_query_read_result_set_header(MYSQLND_CONN_DATA * conn, MYSQLND_STMT * s) if (FAIL == (ret = result->m.read_result_metadata(result, conn))) { /* For PS, we leave them in Prepared state */ if (!stmt && conn->current_result) { - result->m.free_result(result, TRUE); + conn->current_result->m.free_result(conn->current_result, TRUE); conn->current_result = NULL; } DBG_ERR("Error occurred while reading metadata"); From 4da096594daa5b2fd0f3db38ebff80496987f192 Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Fri, 16 Aug 2024 21:01:56 +0200 Subject: [PATCH 5/5] Update ext/mysqli/tests/gh15432.phpt --- ext/mysqli/tests/gh15432.phpt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ext/mysqli/tests/gh15432.phpt b/ext/mysqli/tests/gh15432.phpt index 680d389678468..50372a1bbc544 100644 --- a/ext/mysqli/tests/gh15432.phpt +++ b/ext/mysqli/tests/gh15432.phpt @@ -9,7 +9,7 @@ $link = @my_mysqli_connect($host, $user, $passwd, $db, $port, $socket); if ($link === false) { die(sprintf("skip Can't connect to MySQL Server - [%d] %s", mysqli_connect_errno(), mysqli_connect_error())); } -if ($link->server_version < 90000) { +if ($link->server_version < 90000 || $link->server_version >= 10_00_00) { die("skip MySQL 9.0.0+ needed"); } ?>