Fixed Bug #66034 (Segmentation Fault when constructor of PDO statement throws an exception)

laruence · laruence · commit e3d9e18e7b24 · 2013-11-05T11:04:55.000+08:00
I know zend_call_function will initilize retval_ptr_ptr, but still set
it to NULL explict is more readable
diff --git a/NEWS b/NEWS
@@ -18,10 +18,14 @@ PHP                                                                        NEWS
 - FTP:
   . Fixed bug #65667 (ftp_nb_continue produces segfault). (Philip Hofstetter)
 
-- ODBC
+- ODBC:
   . Fixed bug #65950 (Field name truncation if the field name is bigger than 
     32 characters). (patch submitted by: michael dot y at zend dot com, Yasuo)
 
+- PDO:
+  . Fixed bug #66033 (Segmentation Fault when constructor of PDO statement 
+    throws an exception). (Laruence)
+
 - Sockets:
   . Fixed bug #65808 (the socket_connect() won't work with IPv6 address).
     (Mike)
diff --git a/ext/pdo/pdo_dbh.c b/ext/pdo/pdo_dbh.c
@@ -460,7 +460,7 @@ static void pdo_stmt_construct(pdo_stmt_t *stmt, zval *object, zend_class_entry
 	if (dbstmt_ce->constructor) {
 		zend_fcall_info fci;
 		zend_fcall_info_cache fcc;
-		zval *retval;
+		zval *retval = NULL;
 
 		fci.size = sizeof(zend_fcall_info);
 		fci.function_table = &dbstmt_ce->function_table;
@@ -495,7 +495,7 @@ static void pdo_stmt_construct(pdo_stmt_t *stmt, zval *object, zend_class_entry
 			zval_dtor(object);
 			ZVAL_NULL(object);
 			object = NULL; /* marks failure */
-		} else {
+		} else if (retval) {
 			zval_ptr_dtor(&retval);
 		}
 			
diff --git a/ext/pdo_sqlite/tests/bug66033.phpt b/ext/pdo_sqlite/tests/bug66033.phpt
@@ -0,0 +1,33 @@
+--TEST--
+Bug #66033 (Segmentation Fault when constructor of PDO statement throws an exception)
+--SKIPIF--
+<?php
+if (!extension_loaded('pdo_sqlite')) print 'skip not loaded';
+?>
+--FILE--
+<?php
+class DBStatement extends PDOStatement {
+	public $dbh;
+	protected function __construct($dbh) {
+		$this->dbh = $dbh;
+		throw new Exception("Blah");
+	}
+}
+
+$pdo = new PDO('sqlite::memory:', null, null);
+$pdo->setAttribute(PDO::ATTR_STATEMENT_CLASS, array('DBStatement',
+	array($pdo)));
+$pdo->exec("CREATE TABLE IF NOT EXISTS messages (
+	id INTEGER PRIMARY KEY,
+	title TEXT,
+	message TEXT,
+	time INTEGER)");
+
+try {
+	$pdoStatement = $pdo->query("select * from messages");
+} catch (Exception $e) {
+	var_dump($e->getMessage());
+}
+?>
+--EXPECTF--
+string(4) "Blah"
