Fixed Bug #65199 pg_copy_from() modifies input array variable

2 files changed, 66 insertions, 10 deletions

diff --git a/ext/pgsql/pgsql.c b/ext/pgsql/pgsql.c
index 426de41ae9..33e65767cf 100644
--- a/ext/pgsql/pgsql.c
+++ b/ext/pgsql/pgsql.c
@@ -4059,18 +4059,26 @@ PHP_FUNCTION(pg_copy_from)
 				zend_hash_internal_pointer_reset_ex(Z_ARRVAL_P(pg_rows), &pos);
 #if HAVE_PQPUTCOPYDATA
 				while (zend_hash_get_current_data_ex(Z_ARRVAL_P(pg_rows), (void **) &tmp, &pos) == SUCCESS) {
-					convert_to_string_ex(tmp);
-					query = (char *)emalloc(Z_STRLEN_PP(tmp) + 2);
-					strlcpy(query, Z_STRVAL_PP(tmp), Z_STRLEN_PP(tmp) + 2);
-					if(Z_STRLEN_PP(tmp) > 0 && *(query + Z_STRLEN_PP(tmp) - 1) != '\n') {
-						strlcat(query, "\n", Z_STRLEN_PP(tmp) + 2);
+					zval *value;
+					ALLOC_ZVAL(value);
+					INIT_PZVAL_COPY(value, *tmp);
+					zval_copy_ctor(value);
+					convert_to_string_ex(&value);
+					query = (char *)emalloc(Z_STRLEN_P(value) + 2);
+					strlcpy(query, Z_STRVAL_P(value), Z_STRLEN_P(value) + 2);
+					if(Z_STRLEN_P(value) > 0 && *(query + Z_STRLEN_P(value) - 1) != '\n') {
+						strlcat(query, "\n", Z_STRLEN_P(value) + 2);
 					}
 					if (PQputCopyData(pgsql, query, strlen(query)) != 1) {
 						efree(query);
+						zval_dtor(value);
+						efree(value);
 						PHP_PQ_ERROR("copy failed: %s", pgsql);
 						RETURN_FALSE;
 					}
 					efree(query);
+					zval_dtor(value);
+					efree(value);
 					zend_hash_move_forward_ex(Z_ARRVAL_P(pg_rows), &pos);
 				}
 				if (PQputCopyEnd(pgsql, NULL) != 1) {
@@ -4079,18 +4087,26 @@ PHP_FUNCTION(pg_copy_from)
 				}
 #else
 				while (zend_hash_get_current_data_ex(Z_ARRVAL_P(pg_rows), (void **) &tmp, &pos) == SUCCESS) {
-					convert_to_string_ex(tmp);
-					query = (char *)emalloc(Z_STRLEN_PP(tmp) + 2);
-					strlcpy(query, Z_STRVAL_PP(tmp), Z_STRLEN_PP(tmp) + 2);
-					if(Z_STRLEN_PP(tmp) > 0 && *(query + Z_STRLEN_PP(tmp) - 1) != '\n') {
-						strlcat(query, "\n", Z_STRLEN_PP(tmp) + 2);
+					zval *value;
+					ALLOC_ZVAL(value);
+					INIT_PZVAL_COPY(value, *tmp);
+					zval_copy_ctor(value);
+					convert_to_string_ex(&value);
+					query = (char *)emalloc(Z_STRLEN_P(value) + 2);
+					strlcpy(query, Z_STRVAL_P(value), Z_STRLEN_P(value) + 2);
+					if(Z_STRLEN_P(value) > 0 && *(query + Z_STRLEN_P(value) - 1) != '\n') {
+						strlcat(query, "\n", Z_STRLEN_P(value) + 2);
 					}
 					if (PQputline(pgsql, query)==EOF) {
 						efree(query);
+						zval_dtor(value);
+						efree(value);
 						PHP_PQ_ERROR("copy failed: %s", pgsql);
 						RETURN_FALSE;
 					}
 					efree(query);
+					zval_dtor(value);
+					efree(value);
 					zend_hash_move_forward_ex(Z_ARRVAL_P(pg_rows), &pos);
 				}
 				if (PQputline(pgsql, "\\.\n") == EOF) {
diff --git a/ext/pgsql/tests/bug65119.phpt b/ext/pgsql/tests/bug65119.phpt
new file mode 100644
index 0000000000..c02ff28f06
--- /dev/null
+++ b/ext/pgsql/tests/bug65119.phpt
@@ -0,0 +1,40 @@
+--TEST--
+Bug #65119 (pg_copy_from() modifies input array variable)
+--SKIPIF--
+<?php
+include("skipif.inc");
+?>
+--FILE--
+<?php
+include 'config.inc';
+
+function test(Array $values, $conn_str) {
+  $connection = pg_pconnect($conn_str, PGSQL_CONNECT_FORCE_NEW);
+  pg_query("begin");
+  pg_query("CREATE TABLE bug65119 (i INTEGER)");
+  pg_copy_from($connection, "bug65119", $values, "\t", "NULL");
+  pg_query("rollback");
+}
+
+$values = Array(1,2,3);
+var_dump($values);
+test($values, $conn_str);
+var_dump($values);
+?>
+--EXPECT--
+array(3) {
+  [0]=>
+  int(1)
+  [1]=>
+  int(2)
+  [2]=>
+  int(3)
+}
+array(3) {
+  [0]=>
+  int(1)
+  [1]=>
+  int(2)
+  [2]=>
+  int(3)
+}