Skip to content

Commit 7c59735

Browse files
devnexendevnexen
committed
ext/mysqli: Fix stmt->query leak in mysqli_execute_query() validation errors.
When MYSQLI_REPORT_INDEX is enabled, mysqli_execute_query() duplicates the query string into stmt->query. The two input_params validation error branches freed the MY_STMT wrapper directly without releasing stmt->query, leaking the duplicated string per failing call.
1 parent 5bd7e3b commit 7c59735

1 file changed

Lines changed: 8 additions & 0 deletions

File tree

ext/mysqli/mysqli_api.c

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -532,6 +532,10 @@ PHP_FUNCTION(mysqli_execute_query)
532532
MYSQLND_PARAM_BIND *params;
533533

534534
if (!zend_array_is_list(input_params)) {
535+
if (stmt->query) {
536+
efree(stmt->query);
537+
stmt->query = NULL;
538+
}
535539
mysqli_stmt_close(stmt->stmt, false);
536540
stmt->stmt = NULL;
537541
efree(stmt);
@@ -542,6 +546,10 @@ PHP_FUNCTION(mysqli_execute_query)
542546
hash_num_elements = zend_hash_num_elements(input_params);
543547
param_count = mysql_stmt_param_count(stmt->stmt);
544548
if (hash_num_elements != param_count) {
549+
if (stmt->query) {
550+
efree(stmt->query);
551+
stmt->query = NULL;
552+
}
545553
mysqli_stmt_close(stmt->stmt, false);
546554
stmt->stmt = NULL;
547555
efree(stmt);

0 commit comments

Comments
 (0)