Fix (by Andrey) and test for bug #49442 . Don't use efree() for memory allocated with malloc()... If a connection gets created by mysqli_init(), mysqlnd makes it 'persistent'. 'Persistent' means that mysqlnd uses malloc(). mysqlnd does use malloc() instead of ealloc() because it is unknown if the connection will become a true persistent connection in the sense of ext/mysqli. It is unknown if the user wants a persistent connection or not until the user calls mysqli_real_connect(). To avoid tricky conversions mysqlnd uses malloc(), which sets a private persistent flag in the mysqlnd structures. A precondition for the crash to happen was that the private persistent flag is set. The flag is also set when creating a real persistent connection (in the sense of ext/mysqli) and so the bug can happen with mysql_init()/mysqli_real_connect() and mysql_connect('p:<host>', ...). Therefore we test both cases. Note the (tricky?) difference between the implementation detail'mysqlnd private persistent flag = use malloc()' and persistent connections from a user perspective. Although mysqlnd will always set its private persistent flag and use malloc() for connections created with mysqli_init() it is still up to the user to decide in mysqli_real_connect() if the connection shall become a (true) persistent connection or not.

1 files changed, 5 insertions, 3 deletions

diff --git a/ext/mysqlnd/mysqlnd_priv.h b/ext/mysqlnd/mysqlnd_priv.h
index ae3752e6d3..856b7076c6 100644
--- a/ext/mysqlnd/mysqlnd_priv.h
+++ b/ext/mysqlnd/mysqlnd_priv.h
@@ -104,10 +104,12 @@
 		if ((buf)) { \
 			pefree((buf), (persistent)); \
 		} \
-		(buf) = (message); \
+		if ((message)) { \
+			(buf) = pestrndup((message), (len), (persistent)); \
+		} else { \
+			buf = NULL; \
+		} \
 		(buf_len) = (len); \
-		/* Transfer ownership*/ \
-		(message) = NULL; \
 	}
 
 #define SET_EMPTY_MESSAGE(buf, buf_len, persistent) \