fixed memleak and segfault when constructor call failed

4 files changed, 31 insertions, 13 deletions

diff --git a/ext/mysqli/mysqli.c b/ext/mysqli/mysqli.c
index 55e06e7bb8..9138c07b01 100644
--- a/ext/mysqli/mysqli.c
+++ b/ext/mysqli/mysqli.c
@@ -165,6 +165,14 @@ zval *mysqli_read_property(zval *object, zval *member, zend_bool silent TSRMLS_D
 	zend_object_handlers *std_hnd;
 	int ret;
 
+	ret = FAILURE;
+	obj = (mysqli_object *)zend_objects_get_address(object TSRMLS_CC);
+
+	if (!obj->valid) {
+		retval = EG(uninitialized_zval_ptr);
+		return(retval);
+	}
+
  	if (member->type != IS_STRING) {
 		tmp_member = *member;
 		zval_copy_ctor(&tmp_member);
@@ -172,9 +180,6 @@ zval *mysqli_read_property(zval *object, zval *member, zend_bool silent TSRMLS_D
 		member = &tmp_member;
 	}
 
-	ret = FAILURE;
-	obj = (mysqli_object *)zend_objects_get_address(object TSRMLS_CC);
-
 	if (obj->prop_handler != NULL) {
 		ret = zend_hash_find(obj->prop_handler, Z_STRVAL_P(member), Z_STRLEN_P(member)+1, (void **) &hnd);
 	}
@@ -198,7 +203,7 @@ zval *mysqli_read_property(zval *object, zval *member, zend_bool silent TSRMLS_D
 }
 /* }}} */
 
-/* {{{ mysqli_read_property */
+/* {{{ mysqli_write_property */
 void mysqli_write_property(zval *object, zval *member, zval *value TSRMLS_DC)
 {
 	zval tmp_member;
@@ -261,6 +266,7 @@ PHP_MYSQLI_EXPORT(zend_object_value) mysqli_objects_new(zend_class_entry *class_
 	intern->zo.in_get = 0;
 	intern->zo.in_set = 0;
 	intern->ptr = NULL;
+	intern->valid = 0;
 	intern->prop_handler = NULL;
 
 	zend_hash_find(&classes, class_type->name, class_type->name_length + 1, (void **) &intern->prop_handler);
diff --git a/ext/mysqli/mysqli_api.c b/ext/mysqli/mysqli_api.c
index 3685e6eec7..21e28cc4ef 100644
--- a/ext/mysqli/mysqli_api.c
+++ b/ext/mysqli/mysqli_api.c
@@ -1136,7 +1136,6 @@ PHP_FUNCTION(mysqli_num_rows)
 {
 	MYSQL_RES	*result;
 	zval		*mysql_result;
-	ulong		rc;
 
 	if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "O", &mysql_result, mysqli_result_class_entry) == FAILURE) {
 		return;
@@ -1302,11 +1301,12 @@ PHP_FUNCTION(mysqli_read_query_result)
    Open a connection to a mysql server */ 
 PHP_FUNCTION(mysqli_real_connect)
 {
-	MYSQL 		*mysql;
-	char 		*hostname = NULL, *username=NULL, *passwd=NULL, *dbname=NULL, *socket=NULL;
-	unsigned int hostname_len, username_len, passwd_len, dbname_len, socket_len;
-	unsigned int port=0, flags=0;
-	zval 		*mysql_link;
+	MYSQL 			*mysql;
+	char 			*hostname = NULL, *username=NULL, *passwd=NULL, *dbname=NULL, *socket=NULL;
+	unsigned int 	hostname_len, username_len, passwd_len, dbname_len, socket_len;
+	unsigned int 	port=0, flags=0;
+	zval			*mysql_link;
+	zval  			*object = getThis();
 
 	if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "O|sssslsl", &mysql_link, mysqli_link_class_entry,
 		&hostname, &hostname_len, &username, &username_len, &passwd, &passwd_len, &dbname, &dbname_len, &port, &socket, &socket_len,
@@ -1352,6 +1352,10 @@ PHP_FUNCTION(mysqli_real_connect)
 	}
 	php_mysqli_set_error(mysql_errno(mysql), (char *)mysql_error(mysql) TSRMLS_CC);
 	
+	if (object) {
+		((mysqli_object *) zend_object_store_get_object(object TSRMLS_CC))->valid = 1;
+	}
+
 	RETURN_TRUE;
 }
 /* }}} */
diff --git a/ext/mysqli/mysqli_nonapi.c b/ext/mysqli/mysqli_nonapi.c
index 2a50d773c8..fab4f840bb 100644
--- a/ext/mysqli/mysqli_nonapi.c
+++ b/ext/mysqli/mysqli_nonapi.c
@@ -33,13 +33,14 @@
    Open a connection to a mysql server */ 
 PHP_FUNCTION(mysqli_connect)
 {
-	MYSQL 				*mysql;
+	MYSQL 				*mysql = NULL;
 	MYSQLI_RESOURCE 	*mysqli_resource;
 	zval  				*object = getThis();
 	char 				*hostname = NULL, *username=NULL, *passwd=NULL, *dbname=NULL, *socket=NULL;
 	unsigned int 		hostname_len, username_len, passwd_len, dbname_len, socket_len;
 	unsigned int 		port=0;
 
+
 	if (getThis() && !ZEND_NUM_ARGS()) {
 		RETURN_NULL();
 	}
@@ -89,6 +90,7 @@ PHP_FUNCTION(mysqli_connect)
 		MYSQLI_RETURN_RESOURCE(mysqli_resource, mysqli_link_class_entry);	
 	} else {
 		((mysqli_object *) zend_object_store_get_object(object TSRMLS_CC))->ptr = mysqli_resource;
+		((mysqli_object *) zend_object_store_get_object(object TSRMLS_CC))->valid = 1;
 	}
 }
 /* }}} */
diff --git a/ext/mysqli/php_mysqli.h b/ext/mysqli/php_mysqli.h
index e4c1f01393..aaf80728ef 100644
--- a/ext/mysqli/php_mysqli.h
+++ b/ext/mysqli/php_mysqli.h
@@ -57,12 +57,13 @@ typedef struct {
 } PROFILER;
 
 typedef struct {
-	void		*ptr;		/* resource: (mysql, result, stmt) */
+	void		*ptr;		/* resource: (mysql, result, stmt)   */
 } MYSQLI_RESOURCE;
 
 typedef struct _mysqli_object {
 	zend_object 	zo;
 	void 			*ptr;
+	char			valid;
 	HashTable 		*prop_handler;
 } mysqli_object; /* extends zend_object */
 
@@ -136,7 +137,8 @@ PHP_MYSQLI_EXPORT(zend_object_value) mysqli_objects_new(zend_class_entry * TSRML
 } \
 
 #define MYSQLI_REGISTER_RESOURCE_EX(__ptr, __zval, __ce)  \
-	((mysqli_object *) zend_object_store_get_object(__zval TSRMLS_CC))->ptr = __ptr;
+	((mysqli_object *) zend_object_store_get_object(__zval TSRMLS_CC))->ptr = __ptr; \
+	((mysqli_object *) zend_object_store_get_object(__zval TSRMLS_CC))->valid = 1;
 
 #define MYSQLI_RETURN_RESOURCE(__ptr, __ce) \
 	Z_TYPE_P(return_value) = IS_OBJECT; \
@@ -162,6 +164,10 @@ PHP_MYSQLI_EXPORT(zend_object_value) mysqli_objects_new(zend_class_entry * TSRML
   		php_error(E_WARNING, "Couldn't fetch %s", intern->zo.ce->name);\
   		RETURN_NULL();\
   	}\
+	if (!intern->valid) { \
+		php_error(E_WARNING, "invalid resource %s", intern->zo.ce->name); \
+		RETURN_NULL(); \
+	} \
 	__ptr = (__type)my_res->ptr; \
 	if (!strcmp((char *)__name, "mysqli_stmt")) {\
 		if (!((STMT *)__ptr)->stmt->mysql) {\