From 2dde07af55bb36d050f08dde4a7dba4f3cc1f181 Mon Sep 17 00:00:00 2001 From: Niels Dossche <7771979+nielsdos@users.noreply.github.com> Date: Thu, 20 Mar 2025 19:21:27 +0100 Subject: [PATCH] Fix memory leak when destroying PDORow This should call zend_object_std_dtor() to clean the property table etc. This also has a semantic influence because previously weak refs were not notified for example. This fixes the final issue in GH-18114 (the crash was master-only and fixed already). Closes GH-18114. Closes GH-18123. --- NEWS | 3 +++ ext/pdo/pdo_stmt.c | 1 + ext/pdo_sqlite/tests/gh18114.phpt | 19 +++++++++++++++++++ 3 files changed, 23 insertions(+) create mode 100644 ext/pdo_sqlite/tests/gh18114.phpt diff --git a/NEWS b/NEWS index 49b80ebb7ae..24db3cc4fbe 100644 --- a/NEWS +++ b/NEWS @@ -37,6 +37,9 @@ PHP NEWS - Opcache: . Fixed bug GH-18112 (NULL access with preloading and INI option). (nielsdos) +- PDO: + . Fix memory leak when destroying PDORow. (nielsdos) + - SPL: . Fixed bug GH-18018 (RC1 data returned from offsetGet causes UAF in ArrayObject). (nielsdos) diff --git a/ext/pdo/pdo_stmt.c b/ext/pdo/pdo_stmt.c index 6aec9902623..efbf519e541 100644 --- a/ext/pdo/pdo_stmt.c +++ b/ext/pdo/pdo_stmt.c @@ -2506,6 +2506,7 @@ void pdo_row_free_storage(zend_object *std) ZVAL_UNDEF(&row->stmt->lazy_object_ref); OBJ_RELEASE(&row->stmt->std); } + zend_object_std_dtor(std); } zend_object *pdo_row_new(zend_class_entry *ce) diff --git a/ext/pdo_sqlite/tests/gh18114.phpt b/ext/pdo_sqlite/tests/gh18114.phpt new file mode 100644 index 00000000000..85055884548 --- /dev/null +++ b/ext/pdo_sqlite/tests/gh18114.phpt @@ -0,0 +1,19 @@ +--TEST-- +GH-18114 (pdo lazy object crash) +--EXTENSIONS-- +pdo_sqlite +--FILE-- +query('select 1 as queryString'); +$data = $x->fetch(PDO::FETCH_LAZY); +foreach ($data as $entry) { + var_dump($entry); +} +var_dump((array) $data); +echo "Done\n"; +?> +--EXPECT-- +array(0) { +} +Done