|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #74376 Invalid free of persistent results on error/connection loss
Submitted: 2017-04-05 18:51 UTC Modified: 2017-04-10 05:58 UTC
Avg. Score:4.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:0 (0.0%)
From: dev at pp3345 dot net Assigned: krakjoe (profile)
Status: Closed Package: MySQL related
PHP Version: 7.1.3 OS: Irrelevant
Private report: No CVE-ID: None
 [2017-04-05 18:51 UTC] dev at pp3345 dot net
mysqlnd allocates result objects in mysqlnd_result.c:1899 (mysqlnd_result_init):
	MYSQLND_RES * ret = mnd_pecalloc(1, alloc_size, persistent);

Note that these objects may be allocated persistently if the underlying connection is persistent. Normally these objects will be free'd in mysqlnd_result.c:347 (mysqlnd_res::free_result_internal):
	mnd_pefree(result, result->persistent);
Here, the persistency flag is respected.

However, in some cases (query errors or connection loss), mysqlnd_ps.c will use mnd_efree() instead of mnd_pefree() to free a result object:
line 132 (mysqlnd_stmt::store_result):
line 359 (mysqlnd_stmt_prepare_read_eof):

This will cause segfaults/"zend_mm_heap corrupted" in the above-mentioned cases.

Test script:

$conn = new PDO("mysql:...", "...", "...", [PDO::ATTR_PERSISTENT => true, PDO::ATTR_EMULATE_PREPARES => false]);
$conn->query("select (select 1 union select 2)");

Expected result:
Script executes successfully.

Actual result:


Add a Patch

Pull Requests

Pull requests:

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2017-04-10 05:58 UTC]
-Status: Open +Status: Closed -Assigned To: +Assigned To: krakjoe
 [2017-04-10 05:58 UTC]
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at

 For Windows:
Thank you for the report, and for helping us make PHP better.

Not sure why this didn't close automatically.
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Fri Dec 08 12:01:27 2023 UTC