MFH: Fixed bug#45019 Segmentation fault with SELECT ? and UNION

2 files changed, 10 insertions, 5 deletions

diff --git a/ext/mysqli/mysqli_api.c b/ext/mysqli/mysqli_api.c
index b95584b554..8e6c092654 100644
--- a/ext/mysqli/mysqli_api.c
+++ b/ext/mysqli/mysqli_api.c
@@ -389,8 +389,13 @@ mysqli_stmt_bind_result_do_bind(MY_STMT *stmt, zval ***args, unsigned int argc,
 				if (stmt->stmt->fields[ofs].max_length == 0 &&
 					!mysql_stmt_attr_get(stmt->stmt, STMT_ATTR_UPDATE_MAX_LENGTH, &tmp) && !tmp)
 				{
-					stmt->result.buf[ofs].buflen =
-						(stmt->stmt->fields) ? (stmt->stmt->fields[ofs].length) ? stmt->stmt->fields[ofs].length + 1: 256: 256;
+					/*
+					  Allocate directly 256 because it's easier to allocate a bit more
+					  than update max length even for text columns. Try SELECT UNION SELECT UNION with
+					  different lengths and you will see that we get different lengths in stmt->stmt->fields[ofs].length
+					  The just take 256 and saves us from realloc-ing.
+					*/
+					stmt->result.buf[ofs].buflen = 256;
 				} else {
 					/*
 						the user has called store_result(). if he does not there is no way to determine the
diff --git a/ext/mysqli/tests/bug45019.phpt b/ext/mysqli/tests/bug45019.phpt
index 79fdf450c1..260806522c 100644
--- a/ext/mysqli/tests/bug45019.phpt
+++ b/ext/mysqli/tests/bug45019.phpt
@@ -57,7 +57,7 @@ require_once('skipifconnectfailure.inc');
 		printf("[006] [%d] %s\n", $link->errno, $link->error);
 
 	$column1 = null;
-	if (!$stmt->bind_result($column1) || !$stmt->execute())
+	if (!$stmt->execute() || !$stmt->bind_result($column1))
 		printf("[007] [%d] %s\n", $stmt->errno, $stmt->error);
 
 	$index = 0;
@@ -153,6 +153,6 @@ string(5) "three"
 string(3) "two"
 Testing bind_param(), strings only, with CAST AS CHAR...
 string(3) "one"
-string(5) "three beers are more than enough"
+string(32) "three beers are more than enough"
 string(3) "two"
-done!
\ No newline at end of file
+done!