Fixed bug #72197 pg_lo_create arbitrary read

2 files changed, 38 insertions, 1 deletions

diff --git a/ext/pgsql/pgsql.c b/ext/pgsql/pgsql.c
index 76dfd2a9e5..8f0db26c92 100644
--- a/ext/pgsql/pgsql.c
+++ b/ext/pgsql/pgsql.c
@@ -3213,8 +3213,10 @@ PHP_FUNCTION(pg_lo_create)
 	if (pgsql_link == NULL) {
 		link = FETCH_DEFAULT_LINK();
 		CHECK_DEFAULT_LINK(link);
-	} else {
+	} else if ((Z_TYPE_P(pgsql_link) == IS_RESOURCE)) {
 		link = Z_RES_P(pgsql_link);
+	} else {
+		link = NULL;
 	}
 
 	if ((pgsql = (PGconn *)zend_fetch_resource2(link, "PostgreSQL link", le_link, le_plink)) == NULL) {
diff --git a/ext/pgsql/tests/bug72197.phpt b/ext/pgsql/tests/bug72197.phpt
new file mode 100644
index 0000000000..da52d8ea69
--- /dev/null
+++ b/ext/pgsql/tests/bug72197.phpt
@@ -0,0 +1,35 @@
+--TEST--
+Bug #72197 pg_lo_create arbitrary read 
+--SKIPIF--
+<?php include("skipif.inc"); ?>
+--FILE--
+<?php
+/* This shouldn't crash. */
+$var1=-32768;
+$var2="12";
+pg_lo_create($var1, $var2);
+
+/* This should work correctly. */
+include('config.inc');
+
+/* Check with explicit link. */
+$conn = pg_connect($conn_str);
+pg_query($conn, "BEGIN");
+$oid = pg_lo_create($conn);
+var_dump($oid);
+
+/* Check with default link */
+$oid = pg_lo_create();
+var_dump($oid);
+
+/* don't commit */
+pg_query($conn, "ROLLBACK");
+pg_close($conn);
+?>
+==DONE==
+--EXPECTF--
+Warning: pg_lo_create(): supplied resource is not a valid PostgreSQL link resource in %sbug72197.php on line %d
+int(%d)
+int(%d)
+==DONE==
+