Fix bug #77955

nikic · nikic · commit 6f9dfd947302 · 2019-05-23T13:40:52.000+02:00
Free metadata before freeing the arena. I don't have a repro script,
but the added assertion fails for many existing tests prior to this
change.
diff --git a/NEWS b/NEWS
@@ -14,6 +14,10 @@ PHP                                                                        NEWS
   . Fixed bug #77956 (When mysqli.allow_local_infile = Off, use a meaningful
     error message). (Sjon Hortensius)
 
+- MySQLnd:
+  . Fixed bug #77955 (Random segmentation fault in mysqlnd from php-fpm).
+    (Nikita)
+
 - Opcache:
   . Fixed bug #78015 (Incorrect evaluation of expressions involving partials
     arrays in SCCP). (Nikita)
diff --git a/Zend/zend_arena.h b/Zend/zend_arena.h
@@ -110,6 +110,17 @@ static zend_always_inline void zend_arena_release(zend_arena **arena_ptr, void *
 	arena->ptr = (char*)checkpoint;
 }
 
+static zend_always_inline zend_bool zend_arena_contains(zend_arena *arena, void *ptr)
+{
+	while (arena) {
+		if ((char*)ptr > (char*)arena && (char*)ptr <= arena->ptr) {
+			return 1;
+		}
+		arena = arena->prev;
+	}
+	return 0;
+}
+
 #endif /* _ZEND_ARENA_H_ */
 
 /*
diff --git a/ext/mysqlnd/mysqlnd_result.c b/ext/mysqlnd/mysqlnd_result.c
@@ -294,13 +294,14 @@ void MYSQLND_METHOD(mysqlnd_res, free_result_contents_internal)(MYSQLND_RES * re
 {
 	DBG_ENTER("mysqlnd_res::free_result_contents_internal");
 
-	result->m.free_result_buffers(result);
-
 	if (result->meta) {
+		ZEND_ASSERT(zend_arena_contains(result->memory_pool->arena, result->meta));
 		result->meta->m->free_metadata(result->meta);
 		result->meta = NULL;
 	}
 
+	result->m.free_result_buffers(result);
+
 	DBG_VOID_RETURN;
 }
 /* }}} */

Original file line number	Diff line number	Diff line change
`@@ -294,13 +294,14 @@ void MYSQLND_METHOD(mysqlnd_res, free_result_contents_internal)(MYSQLND_RES * re`
`294`	`294`	`{`
`295`	`295`	`DBG_ENTER("mysqlnd_res::free_result_contents_internal");`
`296`	`296`
`297`		`- result->m.free_result_buffers(result);`
`298`		`-`
`299`	`297`	`if (result->meta) {`
	`298`	`+ ZEND_ASSERT(zend_arena_contains(result->memory_pool->arena, result->meta));`
`300`	`299`	`result->meta->m->free_metadata(result->meta);`
`301`	`300`	`result->meta = NULL;`
`302`	`301`	`}`
`303`	`302`
	`303`	`+ result->m.free_result_buffers(result);`
	`304`	`+`
`304`	`305`	`DBG_VOID_RETURN;`
`305`	`306`	`}`
`306`	`307`	`/* }}} */`