andrey Mon, 31 May 2010 18:18:37 +0000 Revision: http://svn.php.net/viewvc?view=revision&revision=300000
Log: Don't reference row_packet before checking if dereferencing is possible Changed paths: U php/php-src/branches/PHP_5_3/ext/mysqlnd/mysqlnd_ps.c U php/php-src/trunk/ext/mysqlnd/mysqlnd_ps.c Modified: php/php-src/branches/PHP_5_3/ext/mysqlnd/mysqlnd_ps.c =================================================================== --- php/php-src/branches/PHP_5_3/ext/mysqlnd/mysqlnd_ps.c 2010-05-31 18:10:25 UTC (rev 299999) +++ php/php-src/branches/PHP_5_3/ext/mysqlnd/mysqlnd_ps.c 2010-05-31 18:18:37 UTC (rev 300000) @@ -308,7 +308,7 @@ { MYSQLND_STMT_DATA * stmt = s? s->data:NULL; MYSQLND_PACKET_EOF * fields_eof; - enum_func_status ret; + enum_func_status ret = FAIL; DBG_ENTER("mysqlnd_stmt_prepare_read_eof"); DBG_INF_FMT("stmt=%lu", stmt->stmt_id); @@ -371,6 +371,9 @@ fails, we will scrap it. */ s_to_prepare = stmt->conn->m->stmt_init(stmt->conn TSRMLS_CC); + if (!s_to_prepare) { + goto fail; + } stmt_to_prepare = s_to_prepare->data; } @@ -427,7 +430,7 @@ DBG_RETURN(PASS); fail: - if (stmt_to_prepare != stmt) { + if (stmt_to_prepare != stmt && s_to_prepare) { s_to_prepare->m->dtor(s_to_prepare, TRUE TSRMLS_CC); } stmt->state = MYSQLND_STMT_INITTED; @@ -776,7 +779,7 @@ enum_func_status ret; MYSQLND_STMT * s = (MYSQLND_STMT *) param; MYSQLND_STMT_DATA * stmt = s? s->data:NULL; - MYSQLND_PACKET_ROW *row_packet = result->row_packet; + MYSQLND_PACKET_ROW * row_packet; DBG_ENTER("mysqlnd_stmt_fetch_row_unbuffered"); @@ -793,6 +796,10 @@ DBG_ERR("command out of sync"); DBG_RETURN(FAIL); } + if (!(row_packet = result->row_packet)) { + DBG_RETURN(FAIL); + } + /* Let the row packet fill our buffer and skip additional malloc + memcpy */ row_packet->skip_extraction = stmt && stmt->result_bind? FALSE:TRUE; @@ -943,9 +950,9 @@ { enum_func_status ret; MYSQLND_STMT * s = (MYSQLND_STMT *) param; - MYSQLND_STMT_DATA * stmt = s? s->data : NULL; + MYSQLND_STMT_DATA * stmt = s? s->data:NULL; zend_uchar buf[STMT_ID_LENGTH /* statement id */ + 4 /* number of rows to fetch */]; - MYSQLND_PACKET_ROW *row_packet = result->row_packet; + MYSQLND_PACKET_ROW * row_packet; DBG_ENTER("mysqlnd_fetch_stmt_row_cursor"); @@ -963,6 +970,9 @@ DBG_ERR("command out of sync"); DBG_RETURN(FAIL); } + if (!(row_packet = result->row_packet)) { + DBG_RETURN(FAIL); + } SET_EMPTY_ERROR(stmt->error_info); SET_EMPTY_ERROR(stmt->conn->error_info); @@ -1466,7 +1476,6 @@ DBG_ENTER("mysqlnd_stmt::bind_result"); DBG_INF_FMT("stmt=%lu field_count=%u", stmt->stmt_id, stmt->field_count); - if (stmt->state < MYSQLND_STMT_PREPARED) { SET_STMT_ERROR(stmt, CR_NO_PREPARE_STMT, UNKNOWN_SQLSTATE, mysqlnd_stmt_not_prepared); if (result_bind) { @@ -1673,7 +1682,6 @@ if (!stmt->param_count) { return NULL; } - return NULL; } /* }}} */ Modified: php/php-src/trunk/ext/mysqlnd/mysqlnd_ps.c =================================================================== --- php/php-src/trunk/ext/mysqlnd/mysqlnd_ps.c 2010-05-31 18:10:25 UTC (rev 299999) +++ php/php-src/trunk/ext/mysqlnd/mysqlnd_ps.c 2010-05-31 18:18:37 UTC (rev 300000) @@ -308,7 +308,7 @@ { MYSQLND_STMT_DATA * stmt = s? s->data:NULL; MYSQLND_PACKET_EOF * fields_eof; - enum_func_status ret; + enum_func_status ret = FAIL; DBG_ENTER("mysqlnd_stmt_prepare_read_eof"); DBG_INF_FMT("stmt=%lu", stmt->stmt_id); @@ -371,6 +371,9 @@ fails, we will scrap it. */ s_to_prepare = stmt->conn->m->stmt_init(stmt->conn TSRMLS_CC); + if (!s_to_prepare) { + goto fail; + } stmt_to_prepare = s_to_prepare->data; } @@ -427,7 +430,7 @@ DBG_RETURN(PASS); fail: - if (stmt_to_prepare != stmt) { + if (stmt_to_prepare != stmt && s_to_prepare) { s_to_prepare->m->dtor(s_to_prepare, TRUE TSRMLS_CC); } stmt->state = MYSQLND_STMT_INITTED; @@ -776,7 +779,7 @@ enum_func_status ret; MYSQLND_STMT * s = (MYSQLND_STMT *) param; MYSQLND_STMT_DATA * stmt = s? s->data:NULL; - MYSQLND_PACKET_ROW *row_packet = result->row_packet; + MYSQLND_PACKET_ROW * row_packet; DBG_ENTER("mysqlnd_stmt_fetch_row_unbuffered"); @@ -793,6 +796,10 @@ DBG_ERR("command out of sync"); DBG_RETURN(FAIL); } + if (!(row_packet = result->row_packet)) { + DBG_RETURN(FAIL); + } + /* Let the row packet fill our buffer and skip additional malloc + memcpy */ row_packet->skip_extraction = stmt && stmt->result_bind? FALSE:TRUE; @@ -943,9 +950,9 @@ { enum_func_status ret; MYSQLND_STMT * s = (MYSQLND_STMT *) param; - MYSQLND_STMT_DATA * stmt = s? s->data : NULL; + MYSQLND_STMT_DATA * stmt = s? s->data:NULL; zend_uchar buf[STMT_ID_LENGTH /* statement id */ + 4 /* number of rows to fetch */]; - MYSQLND_PACKET_ROW *row_packet = result->row_packet; + MYSQLND_PACKET_ROW * row_packet; DBG_ENTER("mysqlnd_fetch_stmt_row_cursor"); @@ -963,6 +970,9 @@ DBG_ERR("command out of sync"); DBG_RETURN(FAIL); } + if (!(row_packet = result->row_packet)) { + DBG_RETURN(FAIL); + } SET_EMPTY_ERROR(stmt->error_info); SET_EMPTY_ERROR(stmt->conn->error_info); @@ -1466,7 +1476,6 @@ DBG_ENTER("mysqlnd_stmt::bind_result"); DBG_INF_FMT("stmt=%lu field_count=%u", stmt->stmt_id, stmt->field_count); - if (stmt->state < MYSQLND_STMT_PREPARED) { SET_STMT_ERROR(stmt, CR_NO_PREPARE_STMT, UNKNOWN_SQLSTATE, mysqlnd_stmt_not_prepared); if (result_bind) { @@ -1673,7 +1682,6 @@ if (!stmt->param_count) { return NULL; } - return NULL; } /* }}} */
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php